This security hole has been plugged. See my for details. Update: next post There was a false-alarm report that this problem returned. Read about it . Update update: here (or PUBG for short) is a new, extremely popular video game. It focuses around “battle royale” gameplay, pitting up to 100 players against each other in a fight to be the last one standing. PlayerUnknown’s Battlegrounds The game and its developer (Bluehole) are very ambitious, and have been with PUBG. Despite the game not yet being officially “released”, it has topped two million concurrent players, made tens of millions of dollars, and has a burgeoning . This sort of exposure and success comes with certain expectations — performance, stability, visuals, AAA-competitive marketing, etc — which have not always been met. This article is not about them; it’s about . wildly successful e-Sports presence security First, let’s look at the very basics of the problem. What is it, how big of a deal is it, and what does it mean to you? Bottom Line, Up Front The PUBG main menu is a webpage loaded remotely in an unsecured HTTP connection, making it vulnerable to cross-site scripting (XSS) via a man-in-the-middle (MITM) attack, or other ways to mess up HTTP requests. This means very easy and credible phishing, spying on user behavior, plus other possible attack angles. The PUBG loading screen and the various user interface elements in its main menu are not technically part of the game you (a player) “install”. When you launch the game, they are fetched from an official server and rendered on top of the actual game (the 3D model of your character standing around). This rendering is done via a transparent “browser” that treats them as if they were an actual webpage. Again, in English this time… The blue arrows are pointing to UI elements that are actually a “webpage” The connection through which these elements are loaded is . That means that, while the data is moving from the PUBG server to your computer, it can be intercepted and modified. In other words, someone operating any part of the connection between you and the PUBG server could manipulate the data and , or make the main menu do things it normally would not — for example, report what in-game items you own to a third party. not secure change what you see in your main menu It is indeed serious. Normally I would not make such a big deal over a bug in an “early access” game, but as I mentioned earlier, . Early access or not, this bug impacts the security of tens of millions of people. I have already reported the bug with Bluehole’s support and their more than two weeks ago. As it was not fixed expeditiously, and is a serious issue, I feel it is my responsibility to inform the community of the risk. That sounds serious. Why are you making this public? PUBG is itself a big deal forums For a hacker to take advantage of this vulnerability, they need to either have malware already on your computer (in which case you have bigger problems) or they need to be a “middle-man” in between you and PUBG. That means that, if you are doing any of these things, you are at risk: What is the actual danger to players? Playing via a public unsecured wireless connection (e.g. at a Starbucks) Playing using a wired or wireless network set up by someone whose quality of IT you might not trust (e.g. a university network, or Xfinity) Playing via wireless network, given the about WiFi security any recent revelations If a hacker does manage to take advantage of this, they can at the very least modify what you see on your screen, easily making it look like an official part of PUBG. I even went ahead and created a proof of concept. After seeing the animated Bluehole splash screen and the game music starts, you could be confronted with this: Looks very official, right? It’s completely fake, and delivered from a server completely unrelated to PUBG or Bluehole, and could send me your login details if you input them (it does not, though). It is also possible there are far more nefarious things for the hacker to do. I am not a security researcher and do not have enough code access to say for sure. At the very least, this security hole has been used by Xfinity to . advertise inside the game itself Short of not playing PUBG at all, there is little way for players to completely avoid this risk. To reduce it as much as you can, only play on your home network, using a wired connection, or wireless if your router is not in range of any potential hackers. What’s the next step? More importantly though, this needs to be fixed as soon as possible. Since PUBG is “being developed with community feedback” (according to its ) it needs your feedback on this issue for it to be tackled in a timely fashion. Please drop a word to the developers in their forums, in a review, or on social media. With your help, PUBG’s security can be as impenetrable as this pan: Steam page And Now, A Story This is where we get into the technical weeds. If you’re not interested, please feel free to tune out. I have a confession: I did not find this issue by myself. I was tipped off by a friend who pointed me to a post someone made on the PUBG forums , complaining that Xfinity is , as they do with other insecure websites. Their shady ISP practices aside, this is a massive red flag. Shockingly, the issue was not addressed at all, and the thread ended with a resounding “meh”: more than six months ago able to inject ads into the main menu Nope, not an April 1st joke! Being a web (-ish) developer myself, this piqued my curiosity so I dug into it. The Investigation Doing so, I found that every time the game loads, a HTTP GET request is sent to . Its contents? http://front.battlegroundsgame.com/index.html $ curl <script>var url = window.location.search;url = url.replace("?", '');location.href=' ;</script> http://front.battlegroundsgame.com/index.html https://prod-live-front.playbattlegrounds.com/2017.09.14-2017.10.02-556/index-steam.2017.09.14-2017.10.02-556.html?'+url My actual reaction, as those in the chatroom I was in can attest That’s it. That’s what loads the entire UI. Not only is it not valid HTML in the first place, and served over a completely unsecured plain HTTP connection, but this would be bad practice even if those things weren’t a problem! Naturally, I continued down the rabbit hole by loading that URL in a browser: Loading that URL actually loaded the PUBG UI! It also produced a wealth of information from looking at the queries themselves: PUBG downloads almost 3 MB of stuff every time you load it The latest update to the UI was on October 17th (two days ago as of the time of writing) The UI is built in a Javascript-ish environment and packaged with a standard Webpack main/vendor/polyfill setup. More on this later. (Also, why do you need polyfills for a standard embedded browser?!) Interaction with the actual game engine (Unreal) and embedding of the browser view is done using Coherent UI File inclusion seems sloppy, since “mock” files are making it into production The Javascript files themselves are minified, so gleaning much from them is difficult… but not impossible. There’s some fun stuff in there: The UI is built using the latest version of ; neat! Angular 4 A sort of “ping test” is performed to figure out if you are in China, and if you are, some resources are loaded… looks like some Chinese software distribution stuff? XunYou The UI’s data is organized using and using the appropriate allows messing with it Redux, browser extension The index page also contains a Google Analytics tracking snippet! Who doesn’t love to have analytics on how many people load their main menu? Update: Also, here’s some fun for social justice activists: the player objects have a default gender (male) and other physical properties, and various tokens that didn’t get minified have a weird “bro” related naming theme: l.connection.sendMessage("UserProxyApi","InvalidateBroFriends",n) Then, as the cherry to top it off, the console log contains confidence-inspiring lines such as: [EGN] engine received DestoryLobbyCharacter:0 Array [ ] mock.entry.js:7:3 I don’t know what that’s about. Anyway… It looks like how I’d expect an “early access” code base to look. That unsecured HTTP request is a much bigger deal, so… Back to security talk! The Bug Report Given that I that the HTTP flaw I found can be exploited, I hastened to write a bug report to Bluehole about it. Going to their support site, I found that… know … it does not use secure communications itself, and for an authentication page, at that. That does not bode well. I reported it anyway, and within a day I got a response from a Game Master acknowledging the report and requesting that I share it on the PUBG forums as well. The public PUBG forums. The ones where the whole world could see the problem. , and it seems to have gotten a similar amount of attention as the thread that got me on this track in the first place. I did Given that there’s been an ample amount of time since the first mention of this issue to come up with a fix — or at least, a stopgap to not expose literally millions of players to — here I am doing this write-up. hacking It is not just a write-up, though! For I have… The Demo There were some screenshots of it before, but here it is in all its glory: . I remembered to actually set the repository to “public” and it should actually be accessible now. https://github.com/fsufitch/pubg-mainmenu-hack Update: Disclaimer: this is not some of my best coding work. It’s messy and terrible, but it works. Do not code like this. It consists of a simple Go-based server that serves an file, loading a bunch of “evil” JS code that injects itself into the UI, attempting to phish the user. Of course, I am not actually saving anyone’s info, and the “login” form is a dummy, but it does provide a striking visual: index.html Legit or not? This hacked UI is live and available at . ( I have disabled the server since it is no longer relevant but is still costing me to keep running.) You can visit it with a web browser, or you can fool your own PUBG into loading it by adding the following line to your file: http://104.239.228.225/index.html Update: hosts 104.239.228.225 front.battlegroundsgame.com That is found at for a Windows environment. Removing the line will disable the hack. %SystemRoot%\System32\drivers\etc\hosts If you don’t feel like editing that file, I put together a simple program that . It’s super suggestively named, just like malware that could do this without your knowledge. Instead of compromising your computer though, all it does is add the line, wait for you to push Enter, then remove the line. really does it for you hosts Some comments I have received indicated that a hosts-file injection is not a “real” vulnerability, as a ton of things are vulnerable to that.While true, this hosts injection is a simple way to demo this problem, since an easy-to-apply, portable MITM demo is much harder to put together. Edit: Video of this story as it happened That’s the end of the PUBG security adventure… For now. Here’s hoping that Bluehole will continue improving PUBG on all fronts, stop putting users at risk, and become truly “e-Sports ready”. Thanks for reading!
