CCN Markets recently reported yet another vulnerability in the Epic Games Store system. Willian Worrall of CCN said that this security allows users to work around the system’s security to access a game without owning it.
According to Worrall, a user can simply log into an account that is used to buy a game. While logged in, the user will be able to download and install the already-purchased game into the device. The catch is, the game will remain in the device even after logging out and logging into a different account.
Worrall tested the exploit to make sure that it indeed works. Using the abovementioned method, he was able to view the game in his library. When he tried to run it, the process went smoothly, without coming up with any error messages or hitches.
The researcher then used another device to test the vulnerability, with the same results. The vulnerability also persists even when installing the same game into a third device. He also mentioned that the flaw can be replicated using a newly made account.
The issue with Epic Games
Epic Games, which recently released the third installment to the Borderlands franchise, remains under the scrutiny of gamers. This comes because of the numerous vulnerabilities seen in its stores and games. During the release of Borderlands 3, gamers who bought and installed the game were still able to run the program even after refunding.
According to reports, the exploit became possible because of the company’s lack of digital rights management (DRM). This means that the company does not implement license-checking systems to protect its content.
CCN noted that this issue might be perceived positively by consumers. However, the development firm may suffer from losses in sales as users can exploit the flaw to get the game while paying $0.
Class-action lawsuit versus Epic
While vulnerabilities connected to DRM only hurts the company, it is facing another issue due to another flaw in its security measures. In a class-action lawsuit against the firm, it is accused of neglect. This is in light of the account breaches that compromised the data of their users.
The complainants’ party clarified that they took legal action not because that breach occurred, but because the firm “failed to maintain proper security measures in the first place.” Moreover, it did not notify users after discovering the attack and waited several months before doing so.