Bottom Line, Up Front

The PUBG main menu is a webpage loaded remotely in an unsecured HTTP connection, making it vulnerable to cross-site scripting (XSS) via a man-in-the-middle (MITM) attack, or other ways to mess up HTTP requests. This means very easy and credible phishing, spying on user behavior, plus other possible attack angles.

Again, in English this time… The PUBG loading screen and the various user interface elements in its main menu are not technically part of the game you (a player) “install”. When you launch the game, they are fetched from an official server and rendered on top of the actual game (the 3D model of your character standing around). This rendering is done via a transparent “browser” that treats them as if they were an actual webpage.

The blue arrows are pointing to UI elements that are actually a “webpage”

The connection through which these elements are loaded is not secure. That means that, while the data is moving from the PUBG server to your computer, it can be intercepted and modified. In other words, someone operating any part of the connection between you and the PUBG server could manipulate the data and change what you see in your main menu, or make the main menu do things it normally would not — for example, report what in-game items you own to a third party.

That sounds serious. Why are you making this public? It is indeed serious. Normally I would not make such a big deal over a bug in an “early access” game, but as I mentioned earlier, PUBG is itself a big deal. Early access or not, this bug impacts the security of tens of millions of people. I have already reported the bug with Bluehole’s support and their forums more than two weeks ago. As it was not fixed expeditiously, and is a serious issue, I feel it is my responsibility to inform the community of the risk.

What is the actual danger to players? For a hacker to take advantage of this vulnerability, they need to either have malware already on your computer (in which case you have bigger problems) or they need to be a “middle-man” in between you and PUBG. That means that, if you are doing any of these things, you are at risk:

Playing via a public unsecured wireless connection (e.g. at a Starbucks)

Playing using a wired or wireless network set up by someone whose quality of IT you might not trust (e.g. a university network, or Xfinity)

Playing via any wireless network, given the recent revelations about WiFi security

If a hacker does manage to take advantage of this, they can at the very least modify what you see on your screen, easily making it look like an official part of PUBG.

I even went ahead and created a proof of concept. After seeing the animated Bluehole splash screen and the game music starts, you could be confronted with this:

Looks very official, right? It’s completely fake, and delivered from a server completely unrelated to PUBG or Bluehole, and could send me your login details if you input them (it does not, though).

It is also possible there are far more nefarious things for the hacker to do. I am not a security researcher and do not have enough code access to say for sure. At the very least, this security hole has been used by Xfinity to advertise inside the game itself.

What’s the next step? Short of not playing PUBG at all, there is little way for players to completely avoid this risk. To reduce it as much as you can, only play on your home network, using a wired connection, or wireless if your router is not in range of any potential hackers.

More importantly though, this needs to be fixed as soon as possible. Since PUBG is “being developed with community feedback” (according to its Steam page) it needs your feedback on this issue for it to be tackled in a timely fashion. Please drop a word to the developers in their forums, in a review, or on social media. With your help, PUBG’s security can be as impenetrable as this pan: