The Epic Games Store Has a Massive Security Flaw
William Worrall
October 25, 2019 21:48
UTC
- The Epic Games Store is already riddled with issues, and now another bug appears to have surfaced.
- CCN discovered a way that users can gain access to a game even if they don’t own it.
- It might seem great for users to share the same copy of a game, but Epic Games could suffer more trouble as a result.
The Epic Games Store has suffered from several controversies recently. From
losing hours of players’ Borderlands 3 saved data to Epic founder
Tim Sweeney becoming notorious on Twitter for wading into debates. The Epic Games Store is not particularly popular amongst many people these days.
As if those problems weren’t enough, it seems like we may have discovered a pretty big flaw in the Epic Games Store system. If you install a game through the store by logging into someone else’s account, you can continue to play the installed game even if you log back into your own account.
Exploit Testing
While logging into my account earlier today, I discovered that a game I didn’t own but which was already installed from another Epic Games Store account was appearing in my library. Trying to boot the game resulted in it running fine, no error messages or stops at all. This was replicated on another machine and the result was always the same. As long as you had a game installed in the Epic Games directory, you could run the game even if you didn’t own it.
The exploit was consistently replicable even when creating a completely new account that doesn’t own any games. As well as making a new account we even tested the exploit on a third machine and the exploit persisted, meaning that it is almost certainly possible to do this with any account, on any machine.
DRM Problems
This exploit seems to have something to do with a lack of DRM or license-checking on the part of the store. Back when Borderlands 3 was released, gamers on Reddit and Twitter
discovered that they could still play the game after refunding it by locating the executable on their PC.
As of right now, it seems possible to access pretty much every game another user might own by simply logging into their account, installing all of their games, and then logging back into your own account. While this could arguably be seen as a good thing for users of the store, for developers it might be a cause for concern. It means that multiple people can share a single copy of the game, potentially dramatically reducing sales.
Even if this exploit stops working after a few days or weeks, it is easy to get around this caveat by occasionally logging back into the account which owns the game. This exploit is a pretty big problem for the Epic Games Store, which already has a lot of
criticism aimed at it for alleged spyware as well as for
Epic’s predatory business practices.