Copyright Hé - License GPL

Playerunknown's Battlegrounds main menu vulnerable to hacking

New   2021-01-29 20:49:45

PlayerUnknown Battlegrounds main menu is vulnerable to hacking Originally posted by Filip Sufitchi le Update: This security hole has been closed. See my following message for more details. Update update: A false alarm report returned this problem. Read about it here . PlayerUnknown "s Battlegrounds (or PUBG for short) is an extremely popular new video game. It focuses on "battle royale" gameplay, pitting up to 100 players against each other in a fight to be the last one standing. The game and its developer (Bluehole) are very ambitious, and have been very successful with PUBG. While the game is not yet officially "released," it has passed two million concurrent players, made tens of millions of dollars, and has a growing presence of e-Sports . This type of exposure and success comes with certain expectations - performance, stability, visuals, competitive AAA marketing, etc. - which have not always been satisfied. This article does not concern them; it is about security . First, let"s have a look the very basics of the problem. What is it, how big is the deal and what does it mean to you? Bottom Line, Up Front The main menu of PUBG is a web page loaded remotely in an insecure HTTP connection, which makes it vulnerable to cross-site (XSS) attacks via a type "man-in-the-middle " (MITM), or other means of messing up HTTP requests. This means very easy and credible phishing, spyingage of user behavior, as well as other possible angles of attack. Again, in English this time… Loading PUBG screen and The blue arrows point to user interface elements that are actually a " web page The connection through which these items are loaded is insecure. This means that while the data is being moved from the PUBG server to your computer, it may be intercepted and modified. In other words, someone who manages any part of the connection between you and the PUBG server could manipulate the data and change what you see in your main menu, or have the main menu do things. things it wouldn"t normally do - for example, report game items you own to someone else. It sounds serious. Why are you making this public? This is really serious. Normally I wouldn"t make such a big deal on a bug in an "early access" game, but as I mentioned earlier, PUBG playsi itself a big problem. Early access or not, this bug impacts the security of tens of millions of people. I have already reported the bug with Bluehole support and their forums over two weeks ago. As it was not resolved quickly and this is a serious issue, I believe it is my responsibility to inform the community of the risk. What is the real danger for players? For an attacker to take advantage of this vulnerability, they must either already have malware on your computer (in which case you have bigger problems) or be an "intermediary" between you and PUBG. This means that, if you do any of these things, you are at risk: Playing over an unsecured public wireless connection (for example at a Starbucks) Playwith a wired or wireless network set up by someone whose computer quality you might not trust (for example, a college network or Xfinity) Playback via any wireless network , given the recent recent revelations on WiFi security If a hacker manages to take advantage of it, they can at least modify what you see on your screen, easily making it look like an official part of PUBG. I even created a proof of concept. After seeing the animated Bluehole splash screen and the game music playing, you might be faced with this: This sounds very official, doesn"t it not? This is completely false, and shipped from a completely independent server from PUBG or Bluehole, and could send me your login details if you enter them (it does not, however) . It is also possible that the hacker has much more nefarious things to do. I am not a security researcher and do not have enough access to the code to say for sure. At the very least, this security flaw was used by Xfinity for dones of the in the game itself . What"s next? Unless you don"t play PUBG at all, there is little way for players to avoid this risk entirely. To reduce it as much as you can, only play on your home network, using a wired or wireless connection, if your router is not within range of potential hackers. More but above all, this should be corrected as soon as possible. Since PUBG is "under development with community feedback" (according to its Steam Page ) it needs your feedback on this issue to get it resolved in a timely manner. Please leave a word to the developers on their forums, in a notice or on social media. With your help, PUBG"s security can be as impenetrable as this pan: And Now a story I have a confession: I didn "t find this problem on my own. I was notified by a friend who pointed out to me a post posted on the PUBG forums ago is over six months old , complaining that Xfinity is able to inject ads into the main menu , as they do with other unsafe websites. Aside from their shady ISP practices, this is a huge red flag Shockingly, theproblem was not resolved at all and the thread ended with a resounding "meh": " > No, not an April 1 joke! I am me- same web developer (-ish), that piqued my curiosity so I dug into it. In doing so, I have found that every time that the game loads, an HTTP GET request is sent to http: // " . Its content? $ curl html " My real reaction, as can be seen by those in the chat room I was in Here. This is what loads the entire user interface. Not only is this not valid HTML in the first place, and it is served over a completely insecure simple HTTP connection, but it would even be bad practice if these things were not a problem! Of course, I continued down the rabbit hole by loading this URL into a browser: Loading this url actually loaded the PUBG UI! It also produced a wealth of information by looking at the queries themselves: PUBG downloads almost 3MB of content every time you load it The last UI update was October 17 (two days ago at the time of writing) The UI is built in a Java-ish environment and packaged with a standard webpack main / vendor / polyfill configuration. More on that later. (Also, why do you need polyfills for a standard built-in browser ?!) Real game engine (Unreal) interaction and browser view integration is done using Coherent UI Including files seems sloppy, because "mock" Files are in production The Java files themselves are minified, so so is hard to get a lot out of it ... but not impossible. There are some fun stuff in there: The user interface is built with the latest version of Angular 4 ; neat! A kind of "ping test" is carried out to know if you are in China, and if you are, some XunYou resources are loaded… looks like chinese software distribution stuff? The int datauser interface are organized using Redux, and using the lets play with Update: the index page also contains a Google Analytics tracking snippet! Who doesn"t like having analytics on the number of people loading their main menu? Also, here"s some fun for social justice activists: Player items have a gender per default (male) and other physical properties, and l. connection.sendMessage ( " UserProxyApi ", " InvalidateBroFriends ", n) Then, to top it off, the console log contains inspirational lines such as: [EGN] engine received DestoryLobbyCharacter: 0 Array mock.entry.js: 7: 3 I don "t know what this is about.either ... It looks like what I expected from an "early access" codebase. This unsecured HTTP request is much more important, so… Back to the security discussion! Since I know that the HTTP flaw I found can be exploited, I hastened to write a bug report to Bluehole about it . By accessing their support site, I found that… … it doesn "t use secure communication itself, and for an authentication page, at this. That doesn"t bode well. I reported it anyway, and within a day I received a response from a Game Master acknowledging receipt of the report and asking me to share it on the PUBG forums as well as . The PUBG public forums. The ones where the whole world could see the problem. I "ve done it , and it seems to have gotten as much attention as the discussion thread that got me on this trail in the first place. Since since this problem was first mentioned there has been enough time to find a fix - or at least a workaround not to expose literally millions of players at hacking - I am doing this article. It"s not just a deion! Because I have… There were somesome screenshots before, but here it is in all its glory: . Update: I remembered setting the repository to "public " and it should actually be accessible now. It consists of a simple Go-based server that serves an index.html, loading a bunch of "evil" JS code that feeds into the user interface, trying to phish the user. Of course, I don "t log anyone"s information, and the "login" form is a fake, but it provides a striking visual: Legit or not? This The hacked user interface is live and available at . ( Update: I disabled the server because it is no longer relevant but it still costs me to keep running.) You can visit it with a web browser, or you can trick your own PUBG by loading it by adding the next line to your hosts file: front.battlegroundsgame .com This can be found in% SystemRoot% System32 drivers etc hosts for a Windows environment.line will disable the hack. If you really don "t want to edit this file, I have set up a simple program that does it for you . It "s super suggestive n amed, just like malware that might do it without your knowledge. Instead of compromising your computer, just add the hosts line, wait for you to hit enter, then delete the line. Edit: Some comments I received indicated that a host file injection is not a "real "vulnerability, like a ton of things are. Although this is true, this host injection is a simple way to demonstrate this problem, because an easy-to-apply portable MITM demo is much harder to set up. "> Video of this story as it isIt "s been This is the end of the PUBG security adventure ... for now. Hopefully Bluehole will continue to make PUBG better on all fronts, stop putting users at risk, and truly become “esports ready". Thanks for reading!