The Epic Games Store Has a Massive Security Flaw

October 25, 2019 21:48 UTC
  • The Epic Games Store is already riddled with issues, and now another bug appears to have surfaced.
  • CCN discovered a way that users can gain access to a game even if they don’t own it.
  • It might seem great for users to share the same copy of a game, but Epic Games could suffer more trouble as a result.

The Epic Games Store has suffered from several controversies recently. From losing hours of players’ Borderlands 3 saved data to Epic founder Tim Sweeney becoming notorious on Twitter for wading into debates. The Epic Games Store is not particularly popular amongst many people these days.

As if those problems weren’t enough, it seems like we may have discovered a pretty big flaw in the Epic Games Store system. If you install a game through the store by logging into someone else’s account, you can continue to play the installed game even if you log back into your own account.

Exploit Testing

While logging into my account earlier today, I discovered that a game I didn’t own but which was already installed from another Epic Games Store account was appearing in my library. Trying to boot the game resulted in it running fine, no error messages or stops at all. This was replicated on another machine and the result was always the same. As long as you had a game installed in the Epic Games directory, you could run the game even if you didn’t own it.

The exploit was consistently replicable even when creating a completely new account that doesn’t own any games. As well as making a new account we even tested the exploit on a third machine and the exploit persisted, meaning that it is almost certainly possible to do this with any account, on any machine.

DRM Problems

This exploit seems to have something to do with a lack of DRM or license-checking on the part of the store. Back when Borderlands 3 was released, gamers on Reddit and Twitter discovered that they could still play the game after refunding it by locating the executable on their PC.

As of right now, it seems possible to access pretty much every game another user might own by simply logging into their account, installing all of their games, and then logging back into your own account. While this could arguably be seen as a good thing for users of the store, for developers it might be a cause for concern. It means that multiple people can share a single copy of the game, potentially dramatically reducing sales.

Even if this exploit stops working after a few days or weeks, it is easy to get around this caveat by occasionally logging back into the account which owns the game. This exploit is a pretty big problem for the Epic Games Store, which already has a lot of criticism aimed at it for alleged spyware as well as for Epic’s predatory business practices.

Comments below

This article was edited by Gerelyn Terzo.

Last modified: October 25, 2019 21:48 UTC

William Worrall is a freelance writer based out of the UK who has been writing professionally about video and tabletop games for over half a decade and has covered industry events such as EGX and UKGE. Reach him at wsworrall.co.uk or on Twitter at W.S. Worrall.