The Fix

If you are uninterested in technical details, scroll down past the rainbow party parrot.

In order to do my original planned follow-up (about how the vulnerability was not fixed), I applied my hosts file hack and started PUBG. I was surprised to be greeted by the actual main menu! I double-checked using my browser, and the http://front.battlegroundsgame.com page was indeed still vulnerable so… what happened?

The UI is still very much a “website” — all the other symptoms, such as flickering, are still there. It even briefly flashes a URL while loading: https://prod-live-front.playbattlegrounds.com/index.html. That URL also still loads the UI (though over an encrypted connection). To figure out exactly what PUBG was or was not doing, I pulled out Wireshark, a network analyzer.

Since the main issue in the vulnerability was the transfer of UI render data over unencrypted HTTP, I tried to look for any HTTP traffic on common HTTP and HTTPS ports, while launching the game. If I could see anything, the game would still be vulnerable. Here’s what I saw:

Nothing! That is excellent news!

During my previous investigations, I had also noticed that both of the domains involved in serving files, front.battlegroundsgame.com and prod-live-front.playbattlegrounds.com resolved to IPv6 addresses. To see whether (and how) either of those servers are still contacted, I was lazy and just searched for any IPv6 traffic (from any address):

Still nothing! Since PUBG probably did not undergo a massive change to their hosting just to fix this problem, this most likely means their UI is not loaded from the Internet anymore.

Lastly, to confirm this, I monitored Wireshark live as I launched PUBG, looking for a burst of IPv4 activity going to ports 443 or 80 as it loaded, which would indicate it loading the 3 MB of data it was previously loading. I found no such thing anymore.

PUBG is now hosting their menu locally, improving both the security of their product and its overall technical design. Hooray!