Social Club Account Takeover Via RGL And Steam/Epic Linked Account

In this report, the researcher discovered and demonstrated a method to hijack access to a Social Club account via a previously-linked Epic Games or Steam account. To perform the attack, the attacker first needed access to a Steam or Epic Games account with entitlement to a game with Social Club connectivity (such as GTAV or RDR2) and that had previously been linked to a Social Club account (i.e. the victim's account). Next, when the attacker would go to launch a R* game, the Launcher would allow the attacker to switch to the victim's Social Club account without prompting for credentials. The Launcher, in this state, assumed that if the current user had access to the linked third-party account (Epic Games or Steam), they must be the authentic user. This assumption gave the attacker access to the victim's entire Social Club account, even if the victim was utilizing mutli-factor authentication. This issue has been addressed. Account switches occurring in contexts like this one will now require the user to re-authenticate by entering their Social Club account credentials if they have not done so recently on the device in question. Our thanks again to the researcher for discovering this issue!