Security Explained: Game Launchers & System Privilege
16 September 2021
Over the past few weeks and months, we’ve noticed an increase in the demand for launcher security, on both sides.
This is because we’ve worked on more game launcher and installers security projects than ever before. So, there’s no better time than to explain why this increase is happening. And why you should get on board before hackers get ahead.
How are game launchers vulnerable?
Like an application, any piece of code, anything digital at all, there are vulnerabilities. There are ways for malicious actors to take advantage of your code and leverage it against you or your users. The scary part of a hacker taking advantage of a launcher or installer is its permissions.
In addition, these launchers are all heavily client-side based. Meaning, they do communicate with the server-side, but they interact mostly and remain entirely on the client side. We’ve mentioned the importance of server-side security, and for a reason! It’s where proper security lies.
For now, let’s go into more detail on why these applications need proper security.
Game launchers, game launchers everywhere
In a not-so-distant past, we only had a handful of launchers to deal with. That and browser-based games and applications.
Now, we’re not just dealing with Steam. Nearly every major game company has or wants their own launcher, every MMO has its own launcher too. Epic Games, Ubisoft Connect, Origin, Bethesda.net, Battle.net, GOG Galaxy. This list is only going to get longer as the days go by. And this increases the number of people out looking for vulnerabilities.
There’s plenty of reasons that a developer or publisher would want their own launcher. It’s good for the brand, a solid monetary investment, you get control over what your users get and how they can interact with your platform. And you don’t have to answer to another company for any of those reasons.
Of course, this does mean that the responsibility of security and privacy is now yours to bear.
Launcher Security, why?
After all, it’s just a launcher! What’s the worst that could happen? Unfortunately, a lot of things. Launchers and installers need to be addressed separately here, so let’s break it down.
Your installer installs the launcher itself. And then the launcher installs the games, any updates for the games and updates for the launcher itself. All onto your system. Almost like an app store on mobile. And do you know how secure mobile app stores are? Very. Everything gets verified and reviewed before release.
A game requires minimal permissions to run. It doesn’t need to access much. But a launcher and installer? Those are making changes directly to system files. They need to be able to access, overwrite, and delete select game files for updates. Which means system-level permissions.
And if the launcher is compromised, you’ve now got a malicious actor with system-wide permissions.
What can they do?
The main action we’ll focus on are RCEs or Remote Code Executions. It’s effectively executing or activating malicious code on your device. Apps aren’t in as much danger from this because they typically run on lower permissions. But for launchers, they offer a serious level of access for the malicious actor. Meaning they can wreak havoc.
There’s a great example on HackerOne, of one such RCE discovered and patched on Steam.
We’ll also mention that once a violation like this occurs, you are looking at some privacy issues as well. Login details and other valuable credentials stored on your account, as well as any inventory (in- and out of game), would be compromised.
How do you get secure?
It’s different to a typical penetration test, as the priority is on client-side. As we mentioned, the server-side of this situation is not the main focus as is standard. As a launcher, all the major data, privileges and access rights, and credentials are stored locally.
For Cyrex, we just shift the priority to client-side, dive into the code and the launcher.
Some things we look for include:
- Which launch arguments are supported by the program/application/launcher?
- How is the client storing any secrets like authentication tokens?
- How are new games and patches, for both games as the launcher itself, downloaded?
- How are new games and patches, for both games as the launcher itself, installed?
- How is the game interacting with the file system and Windows registry?
- How are local privileges being handled, and can they be escalated?
- Are there any local or remote arbitrary code executions possible?
- Are there any insecure encryption standards used?
- Are there any insecure serialization methods used?
- Are web attacks like HTML injection and XSS possible?
Cyrex will also audit and reverse engineer the behaviour of the installer. We will monitor all the actions (file changes, registry modifications, internet connections, etc) the installer is making on the operating system and evaluate them on a security and privacy level.
We’re glad to see so much launcher security work coming into us, but as always, there’s more people out there unaware of the potential dangers. If you’d like to learn more about cybersecurity threats, you can read our latest blogs here.