PUBG Main Menu Hack — It’s Fixed!

Last week I wrote about PlayerUnknown’s Battlegrounds having a big security hole in their main menu. It got more attention than I’m used to my posts getting, so I am taking this opportunity to write a follow-up to do two things:

• Inform everyone that, as far as I can tell, it is no longer possible to exploit this vulnerability.
• Address some responses the previous post got — positive, negative, and questions.

Ready to jump?

The Fix

If you are uninterested in technical details, scroll down past the rainbow party parrot.

In order to do my original planned follow-up (about how the vulnerability was not fixed), I applied my hosts file hack and started PUBG. I was surprised to be greeted by the actual main menu! I double-checked using my browser, and the http://front.battlegroundsgame.com page was indeed still vulnerable so… what happened?

The UI is still very much a “website” — all the other symptoms, such as flickering, are still there. It even briefly flashes a URL while loading: https://prod-live-front.playbattlegrounds.com/index.html. That URL also still loads the UI (though over an encrypted connection). To figure out exactly what PUBG was or was not doing, I pulled out Wireshark, a network analyzer.

Since the main issue in the vulnerability was the transfer of UI render data over unencrypted HTTP, I tried to look for any HTTP traffic on common HTTP and HTTPS ports, while launching the game. If I could see anything, the game would still be vulnerable. Here’s what I saw:

Nothing! That is excellent news!

During my previous investigations, I had also noticed that both of the domains involved in serving files, front.battlegroundsgame.com and prod-live-front.playbattlegrounds.com resolved to IPv6 addresses. To see whether (and how) either of those servers are still contacted, I was lazy and just searched for any IPv6 traffic (from any address):

Still nothing! Since PUBG probably did not undergo a massive change to their hosting just to fix this problem, this most likely means their UI is not loaded from the Internet anymore.

Lastly, to confirm this, I monitored Wireshark live as I launched PUBG, looking for a burst of IPv4 activity going to ports 443 or 80 as it loaded, which would indicate it loading the 3 MB of data it was previously loading. I found no such thing anymore.

PUBG is now hosting their menu locally, improving both the security of their product and its overall technical design. Hooray!

Q & A… Plus Other Stuff

Was it irresponsible to release the vulnerability like this? I don’t feel I was unnecessarily irresponsible. The timeline looks like this:

1. Users notice the problem and report it. At least 6 months pass. More, if I am to believe some of the readers.
2. I notice the problem, diagnose it, and report it (again, hopefully) on the official bug system. The next day, I report it on their forums, as instructed.
3. Two weeks pass, a major patch and multiple hotfixes get pushed out, but no fix for this issue arrives.
4. I publish the original post.
5. A week later, I am writing this and the security hole is gone.

Was it my post (or people tweeting it at them) that pushed Bluehole to fix it? Maybe. I can’t find any public communication from them about it.

Still, if it wasn’t, was it wise to shout it to the world? Yes, that opens the door to hackers who read my blog, but so did the forum post that official PUBG support requested I make. A hacker is far more likely to browse the PUBG forums looking for exploitable bugs than a legitimate user looking to protect themselves from malicious software, so I felt the issue merited a second, more layman-friendly representation.

In short, I followed official channels and the issue only got worse (no fast fix, high risk of informing bad actors), so I did something better.

I can’t believe the UI is a website, this is terrible software! PUBG is not unique in using a web interface overlay. Coherent GT, the software they use, looks to have a variety of other big-name clients — including ArenaNet, who use it for the Guild Wars 2 in-game trading post.

Why? I can speculate: web interfaces have a far, far wider variety of resources and designer/developer talent available than native graphical interfaces for specific game engines (such as Unreal 4 in PUBG’s case). This is backed up by PUBG’s usage of the Angular framework to drive the menu; it’s the same stuff they use to run their website! In other words, the decision was probably made because it is cheaper and faster to do it this way.

That’s still hacky and terrible and not a proper use of a web UI. I tentatively agree, but that’s an argument for another day.

A game being vulnerable to someone fiddling with the hosts file is no big deal. It’s not a big deal for the game. It is a big problem for the user whose hosts file is edited. Editing that file is a common malware tactic, and results in much bigger problems than the wrong menu in PUBG. It is, however, a convenient way to demonstrate what the security hole does, without requiring special router configuration to actually run a man-in-the-middle attack on yourself.

Also, plenty of people will fall for a hosts file attack anyway, since a mod such as PUBG-n00dzmod_4_a64.exe is just way too tempting.

#EsportsReady. No comment.

Thank you for checking this out! Enjoy your PUBG!