Skip to content
Naked Security Naked Security

Epic in hot water over Steam-scraping code

Players noticed that Epic Games was gathering and storing data from Steam accounts without their permission.

Epic Games, the company behind online gaming phenomenon Fortnite, is at the centre of a privacy storm after players noticed that it was gathering data from their Steam accounts and storing it on their computers without permission.

Fortnite has been a gaming sensation. The game, which pits players against each other in an online world, is downloadable directly from Epic, which launched its own online Epic Games Store in December.

Last week, players found it gathering information about their accounts on rival online gaming service Steam, and Reddit was up in arms.

Reddit user notte_m_portent alerted Fortnite users to alleged suspicious activity in the Epic Game Launcher, which controls the Fortnite software. They claimed that it was watching other processes on the machine, reading root certificates, and storing hardware information in the registry, among other things.

Crayten, another Reddit user, also claimed to have found EGL creating an encrypted copy of the user’s localconfig.vdf file, which contains all friends on Steam and their name histories.

Epic VP of engineering Dan Vogel explained to concerned Redditors that tracking JavaScript feeds information to the company’s Support-a-Creator program, enabling it to pay creators. Epic describes these as “active video makers, streamers, storytellers, artists, cosplayers, musicians, and community builders” supporting its products.

The hardware survey data sends hardware information in line with the company’s privacy policy, he added, while the EGL looks at existing processes to ensure that it doesn’t try to update games that are currently running. That information isn’t sent to Epic, he said.

He added:

We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.

Even though Epic says it’s only sending user’s Steam data to its servers with their permission, it still scrapes the data and creates the file on the hard drive without getting the user’s permission first. Reddit user DukeNukem89 was concerned about this.

The same user also complained that Epic wasn’t accessing friends lists through the Steam application programming interface (API). An API is a digital interface that software can use to query other applications online. Given the user’s permission, the EGL could query the API on behalf of any Fortnight user logged into Steam, but Epic chose to ignore the API and scrape the data from the users’ hard drives instead.

Epic’s CEO Tim Sweeney explained that this was a throwback from an earlier development:

You guys are right that we ought to only access the localconfig.vdf file after the user chooses to import Steam friends. The current implementation is a remnant left over from our rush to implement social features in the early days of Fortnite. It’s actually my fault for pushing the launcher team to support it super quickly and then identifying that we had to change it. Since this issue came to the forefront we’re going to fix it.

He added that the company doesn’t like using third-party APIs because they can potentially create more security holes.

Valve, which runs Steam, told Bleeping Computer that it is looking into the issue, stating:

We are looking into what information the Epic launcher collects from Steam… This is private user data, stored on the user’s home machine and is not intended to be used by other programs or uploaded to any 3rd party service.

4 Comments

Let’s not forget the part where this behavior is actually illegal in other countries outside the USA, and must have opt out settings in place to revoke consent at anytime deemed appropriate. Much akin to how Microsoft’s more transparent privacy and data collections settings were implemented after world wide backlash.

Reply

So Valve/Steam is getting indignant about this? Hmmm… seems to me they were remiss by allowing that data to be available and accessible. They never heard of encryption?

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!