Games

EPIC Store Security Flaw Allows ‘Friends’ To Play Games Not Individually Bought, Costing Online Gaming Co Revenue Loss

A security flaw on the Epic Games Store is allowing users to gain access to a game even if they don’t own it. While there’s a precondition to the exploit’s usage, the gaming company is surely losing money from such a ‘shared game access’ bug. Incidentally, this might be one of the smaller concerns for the company that recently lost hours of players’ Borderland 3 saved data.

Epic Games has been going through several updates. However, the company appears to have a rather interesting bug that allows gamers to play games they do not officially own. The exploit is rather simple to execute, and there might be more than one variant of the bug, but it essentially allows users to completely play titles that they didn’t purchase. The gameplay is smooth and consistent as if the gamers own the title. This appears to be a case of poor DRM implementation and even lax user authentication techniques that ties them to games.

Epic Game Suffers From Poor DRM Security Implementation, Allowing Shared Gaming On Single Computer:

The security flaw within the Epic Games Store appears to be pretty simple and straightforward. Essentially, gamers can use a system on which a bought game is installed, to play the same even if they haven’t bought it themselves. The process isn’t complicated either. If gamers install a game through the store by logging into someone else’s account, they can continue to play the installed game even if they log back into your own account.

According to the website that first discovered the bug, the game merely had to be installed on a computer using an account that had legitimately purchased the game. Essentially, a game that wasn’t owned but which was already installed from another Epic Games Store account, was appearing in the gamer’s library. Booting the game was successful, and the gameplay was smooth. There were no authentication errors, messages or sudden stops at all. Moreover, the in-game progress can also reportedly be saved.

The bug was successfully replicated on multiple machines with the same results. The only precondition was that the game had to be installed in the Epic Games directory. The exploit was consistently replicable even when creating a completely new account that doesn’t own any games. The testers even created a few new accounts and replicated the exploit. Essentially, the security bug in the Epic Games Store internal authentication and verification methodology was exploitable with any account, on any machine.

The security flaw clearly has to do with a lack of DRM or license-checking on the part of the store. However, there’s another variant of the bug which can be exploited with the same results. Several users on Reddit and Twitter discovered that they could still play the game after refunding it by locating the executable on their PC.

All Premium Game Titles Available On Epic Game Store Can Be Played For Free With The Newly Discovered Security Flaw?

Currently, it seems possible to access almost every game another user might own by simply logging into their account, installing all of their games, and then logging back into your own account. This essentially means multiple people can share a single copy of the game. The only precondition is that a single user must legitimately buy the games on their accounts. Thereafter the account can be used to simply download and install the games by other account holders. As long as the title is installed into their Epic Games directory, any user’s installed games will boot just fine as well as save.

To address the issue, Epic Games might have to quickly rework their authentication techniques and put in processes that check if a single account is being exploited to download games on multiple systems. Moreover, an occasional check to ensure the game being played is truly bought and owned would also ensure such unauthorized usage is curtailed. Locking the game installations to a particular computer could also benefit the company.


Leave a Reply

Your email address will not be published.

Close