Epic Games prepared a bounty of over 100 million yen and claimed that 'account hack is a hoax', was it really a hoax?



Housepic, a group video chat app from Epic Games, said $ 1 million to people who provided proof that 'rumors of' Houseparty accounts being hacked are being systematically disseminated on Twitter. ' Announced to give (about 110 million yen). However, blogger Zack Edwards said, 'There is a technical flaw in the password recovery form of Epic Games, and the account is hacked by a subdomain site intended for phishing .' I'm just missing the House party claim.

Epic Games Ignored Epic Subdomain Takeover on their Authentication Domain, Promoted $ 1 Million Bounty to Address User Complaints
https://medium.com/@thezedwards/epic-games-ignored-epic-subdomain-takeover-on-their-authentication-domain-promoted-1-million-b4d809039b0e

Around the end of March 2020, rumors spread that on Twitter, 'When I downloaded the Houseparty app, my Spotify, PayPal, bank account, etc. were hacked.' Houseparty denies the rumor that 'there is no evidence.' As 'some kind of organization has invested funds to spread the rumors of this kind,' claim to, it was announced to give 100 million dollars reward to the person who provided the information about the organization to lead this rumor.




However, when Edwards investigated the Houseparty login page, he found that the request header of the login form lacked a content security policy and could be embedded in a third-party website. I found that the subdomain of 'TheHousePartyApp.com' had permission to execute JavaScript code for HouseParty.com.

According to Edwards, the sub-domain of TheHousePartyApp.com has been hijacked by numerous phishing sites. The following is an example of a phishing site that uses a subdomain of TheHousePartyApp.com, which is a service that claims 'free e-book service'.



Some phishing sites have the exact same input form.




These phishing sites acquired fonts from 'webfonts.ru' and are suspected of involvement by Russian criminal organizations.



The majority of these phishing sites are trying to trick users into 'free' food, like 'free e-books' and 'free movie streaming.' Edwards claims that these phishing sites are hacking his accounts.

When Edwards contacted Epic Games about the existence of a phishing site using the above TheHousePartyApp.com subdomains, he said, `` The DNS records associated with the IP in question have not been deleted and HouseParty previously owned IP. Third party has obtained new content. The content of the subdomain in question is not our content. ”The malicious phishing site did not intentionally acquire the subdomain. Claimed to have just been inherited by a third party who provided e-book services.

In conclusion, after investigating, Epic Games said, 'Illegal content may be hosted by a third party. However, except that it was hosted, there is little potential for further exploitation. Denies the theory that 'Houseparty account hacking is occurring due to subdomain phishing sites.'

Edwards pointed out that it was the 'Pickaflick.com crew' who made the series of attacks. The Pickaflick.com crew is a group that has been operating phishing sites with various methods for over 10 years, starting from the phishing site 'Pickaflick.com'. Edwards provided Epic Games with more information about the Pickaflick.com crew's tricks, but said they were 'mostly ignored.'



`` It's true that organized hacker and phishing networks have used Epic Games subdomains to attack users, '' Edwards said. , Malicious organizations are just spreading. '

On the English-speaking social bookmarking site Reddit, it has been pointed out that 'it may be true that a phishing site was deployed on a subdomain of Houseparty, but it is weak to link it to account hacking.'

in Security, Posted by log1k_iy