Hackers Reset Accounts in Escape from Tarkov Using "Incredibly Stupid" Bug - Huge Hole in BSG's Security
A loophole in the system allowed attackers to break into some players' accounts.
Recently, some Escape from Tarkov players were disconnected from the server. This sometimes happens, so at first it didn't raise any questions, but after reconnecting, they discovered that all progress had been deleted.
Users began to suspect that the EFT databases had been hacked. However, tech enthusiast Chilljones1125 explained that everything is much simpler — Battlestate Games' security turned out to be very unreliable:
This is incredibly stupid and a huge security hole on the part of BSG. No data was compromised, nothing was disclosed. It's just a login bypass.
It turned out that the authentication system via Steam (OpenID) does not properly check the digital signature and the response returned by the Steam servers.
As a result, attackers were able to replace the response URL from Steam with the account ID they wanted to access. Two-factor authentication did not help.
As a result, Escape from Tarkov players whose accounts were linked to Steam were under attack.
