Skip to content

Investigation

Jump to bottom
Wok edited this page Dec 30, 2021 · 5 revisions

Analysis of the French and Chinese leaks

There have been 2 leaks of the 15DaysofGames on the Epic Games store (EGS):

  1. a French leak by user billbil-kun posted on December 9, 2021 at dealabs,
  2. a Chinese leak by user szl9898 posted on December 25, 2021 at tieba.

Human source

The most probable source of these leaks would be a human source.

For instance, a relative or a friend of the leakers may:

  • either directly work for Epic,
  • or work for a third-party company involved in Epic's buisness.

Or the leakers might have performed social engineering on customer support at EGS.

API source

Another assumption to be investigated could be a smart usage of the API of EGS. For instance, the API has leaked information about upcoming promotions.

We will investigate the following assumption below through facts and logic:

Is it fathomable that a leaker had access to the API with higher permissions to see the non-public part of the database?

Facts

  1. About the EGS deals

a. Usual schedule

During the year, Epic usually offers at least one free game every week. A long time ago, the frequency of the giveaways was lower with one free game every two weeks.

The following game is known as soon as a giveaway happens. The piece of information is fully known. No need for a hint.

b. Christmas giveaways

At the end of the year, there are 15DaysofGames which is a 15-day period with a free game per day.

This is a way to boost visibility for the Christmas sales. This year, the period started on December 16, 2021, simultaneously with the start of the sales, and will end on December 30, while the sales will last until January 6, 2022.

Every time a game is given away, wrapping paper is visible with a hint at the time of the previous giveaway. For instance, for Tomb Raider to be given away on December 30, the following hint was disclosed on December 29:

Tomb Raider hint

  1. About the EGS database

There is an API to the EGS database, e.g. at https://graphql.epicgames.com/graphql. This is where websites like ScreamDB or Database.EGData.app get their info.

There is also a static backend for free games at https://store-site-backend-static.ak.epicgames.com/freeGamesPromotions. First, this page is not exhaustive: it is only the visible part of the database. Second, entries for free games appear there roughly half an hour before the official giveaway.

Once an entry appears in the public database (with at least an offer ID and at least an item ID), they can be found on the official EGS store, at EGData (with a delay), and at ScreamDB. Then metadata becomes visible, notably the creation date of the database entry, which shows that the entry was in the invisible part of the database for a while, with an automatic set-up to reveal the entry for the day of the giveaway, likely planned on December 7, 2021 for the 15DaysofGames (Dec 16 - Dec 30).

For instance, let us look at "Moving Out", which was given away on December 28.

ScreamDB

---> linked to the item ID: e54d8bf3a451400189159b03231794f7

On Database.EGData.app, one can find 2 entries:

id: "0a8b32256f374cf4998c3ecf44c31db9"
namespace: "f919a1262081444fb28f0fdef68d6b14"
title: "Moving Out" 
productSlug: "moving-out"
urlSlug: "moving-out"
creationDate: "2021-08-10T00:00:34.019Z"
lastModifiedDate: "2021-12-28T14:52:08.774Z"
effectiveDate: "2021-12-28T16:00:00.000Z"
viewableDate: "2021-12-28T16:00:00.000Z" 
---> linked to the item ID: e54d8bf3a451400189159b03231794f7

We can recognize the item ID which is mentioned on ScreamDB: e54d8bf3a451400189159b03231794f7.

We can also see that the entry was:

  • created on August 10, 2021,
  • last modified on December 28, 2021, which is the day of the giveaway,
  • associated with an effective date and a viewable date, set to the exact time (16h00 UTC) at which the giveaway started.
id: "2cbc0241b606499cb4608ef3711a4bb7"
namespace: "d5241c76f178492ea1540fce45616757"
title: "Moving Out" 
productSlug: "moving-out"
urlSlug: "28mysterygame"
creationDate: "2021-12-07T23:37:01.520Z"
lastModifiedDate: "2021-12-28T14:57:42.495Z"
effectiveDate: "2099-01-01T00:00:00.000Z"
viewableDate: "2021-12-27T15:25:02.000Z" 
---> linked to the item ID: 8341d7c7e4534db7848cc428aa4cbe5a

We can see that the entry is some kind of wrapper for the giveaway:

  • the namespace d5241c76f178492ea1540fce45616757 is used for every giveaway at the end of the year,
  • the url slug is 28mysterygame instead of being equal to the product slug moving-out.

We can also see that the entry was:

  • created on December 7, 2021, as every other giveaway for the end of this year,
  • last modified on December 28, 2021, which is the day of the giveaway, as for the other offer,
  • associated with a dummy effective date: January 1, 2099.
  • associated with a viewable date, set to the time on which the hint was publicly available through the freeGamesPromotions endpoint roughly half an hour before the hint goes officially live on the store, on the day before the giveaway.

These entries were not created on the day of the giveaway. They must have been in a private part of a database.

An other example is today's giveaway, for which the id is known since yesterday:

https://graphql.epicgames.com/graphql?query={%20Catalog%20{%20searchStore(namespace:%20%22d5241c76f178492ea1540fce45616757%22,%20start:0,%20count:100)%20{%20paging%20{total}%20elements%20{title%20id}%20}%20}%20}

Tomb Raider

So the ID is ce021049651345c9b0e2aa1f295f437f, and there is more info at Database.EGData.app:

id: "ce021049651345c9b0e2aa1f295f437f"
namespace: "d5241c76f178492ea1540fce45616757"
title: "Mystery Game"
productSlug: "[]"
urlSlug: "30mysterygame"
creationDate: "2021-12-07T23:39:09.677Z"
lastModifiedDate: "2021-12-19T16:23:56.660Z"
effectiveDate: "2099-01-01T00:00:00.000Z"
viewableDate: "2021-12-29T15:25:00.000Z" 
---> linked to the item ID: 8341d7c7e4534db7848cc428aa4cbe5a

Therefore, even if we could have accessed this entry before it appeared publicly earlier today, which we could not, then the fields of interest (title, productSlug) would have been obfuscated.

This would explain the lastModifiedDate, which was set to December 28 for the game given away on December 28. In contrast, the lastModifiedDate is currently set to December 19 for the game to be given away tomorrow (on December 30). I would expect the entry to be modified on the day of the giveaway to de-obfuscate the title and productSlug.

In summary, there are two issues with leaking the database via the API:

  • having access to hidden entries, i.e. the ones with viewableDate set in the future,
  • de-obfuscating title or productSlug, which is impossible if the info is actually absent.
  1. Authorization

The EGS database has different levels of authorization (Auth) acccess. Usually, one has to follow a protocol to get an OAuth Access Token. However, in the case of the database:

  • there is a publicly visible part, accessible to everyone,
  • there is a hidden part, which requires higher permissions.

For OAuth, one can:

  • find a client ID in this Github repository, e.g. the ID associated to the client name graphqlWebsite,
  • request an Authorization Code at this URL (also quoted below), e.g. with the ID of graphqlWebsite,
https://www.epicgames.com/id/api/redirect?clientId=319e1527d0be4457a1067829fc0ad86e&responseType=code

Then we are stuck as we don't know the client SECRET of graphqlWebsite, which is required to request the access token both by authorization code or using client credentials.

Finally, we can try clients other than graphqlWebsite, albeit without any guarantee that they have higher permissions. After some experiments, it seems that none of these clients have higher permissions. Worst, the clients with known SECRET seem to have ZERO permission to access the publicly visible part of the database.

Tokens have to be of type eg1, which seems to rely on a sequence of 1075 base-64 digits to encode in base64 different security measures (PS256 algorithm, JTI, etc.).

  1. About the Korean Game Rating Board (GRAC)

Some games can be known in advance, without the matching date, when they are approved by the Korean Game Rating Board.

  1. About the French (FR) leak

The FR leak was disclosed on December 9. The leaker has been known for leaking EGS deals.

During the year, he does not leak deals more than a week in advance. So he uses information which is displayed on the official website, and known by everybody.

However, at the end of the year, he has been recently able to know the giveaways early.

In June 2020, he wrongly leaked the giveaway of ARK. The game was in the end given away at a later date, apparently a week later. Some proof was shown, and included advertisement videos and images.

ARK Proof

In December 2020, he seemed to be able to leak 3 games, and then 5 games, with proof coming from EGS servers which was shown to the administrator of dealabs.com, yet not publicly disclosed. Therefore this leak could come from upcoming promotions. Leaked games could have been: Alien Isolation, Metro 2033 Redux, INSIDE, Darkest Dungeon, My Time at Portia, and possibly a few others. It is hard to tell without seeing what was leaked, which games were "new to the EGS store", and which games were already sold there (in which case the game is usually not discounted before the giveaway, and then discounted on the day after the giveaway).

In December 2021, he did not disclose the whole list in advance. However, he marked in bold the dates of the games which have positive reviews on Steam and which were never given away before. Some dates were moved around, becoming bold or losing their bold status. The games given away on December 22 and 29 were supposedly swapped, even though this happened before they were publicly disclosed by the leaker, so it is hard to judge the basis of these allegations. He was also able to consistently leak some of the games, sometimes earlier than the hint, sometimes earlier than the reveal even though the hint was not obvious.

If we trust Billbil-kun, he admits that he did not know the game which would be given away on the last day. Therefore this could hint at a leak through upcoming promotions a priori.

  1. About the Chinese (CN) leak

The CN leak consists in a screenshot of a list of games, written in English and Chinese. The leak is visible in a forum post on Tieba, and then later on a video on Bilibili. The original leak would have happened in instant-messaging chat groups on Tencent-owned QQ.

Rumors mention that:

It looks like someone asked the customer service of Epic, and was told the biggest one will come out on the 31th Dec, which will be Tomb Raider Trilogy.

and:

it's likely someone who has connect with Epic workers leaked it while chating with friends

Logic

  1. Guessing the URL of the hint

It is not possible to guess the image URL of the hint, because it includes the MD5 of the image file.

For instance:

https://cdn1.epicgames.com/offer/d5241c76f178492ea1540fce45616757/EGS_15DaysofGames_wrapped_1920x1080_day15_1920x1080-46b1e1548ae6d2638f113802676b75ba

This URL consists of:

  • the base URL of the CDN: https://cdn1.epicgames.com/offer
  • the namespace for the Christmas giveaways /d5241c76f178492ea1540fce45616757/
  • an image filename in two parts:
    • info (event name, resolution, day index): EGS_15DaysofGames_wrapped_1920x1080_day15_1920x1080
    • a separator -
    • the MD5 of the image file: 46b1e1548ae6d2638f113802676b75ba

NB: it used to be possible to find the game title in the metadata of the image file. This was patched.

  1. Figuring out the upcoming promos

An upcoming promo during a sales event is a hint that the game should be given away on the previous day. Except for "Loop Hero" was which discounted at the start of the sales, and then had a more import discount after the giveaway, the free games were not discounted before the giveaway (to avoid having to deal with too many refunds, I guess). Additionally, the upcoming promotions are hints, but slightly unreliable:

  • DLC for "Remnant from the Ashes" were discounted on the day of the giveaway,
  • DLC for "Control" were discounted at the start of the sales, i.e. 10 days before the giveaway,
  • DLC for "Pathfinder Kingmaker" were discounted the day after the giveaway. However:
  • some promos start late because they are scheduled to start simultaneously as the Steam Winter sales on December 22,
  • a few games are not discounted after the giveaway (Control Standard Edition), though this is rare.
  • games absent from EGS would not appear in the public database, and their promos would be unknown, so we could guess that a new game would be given away, but not which game that would be,
  • the last game of the giveaway is not discounted after the giveaway, because the giveaway lasts for a week and ends simultaneously with the Christmas sales.

Therefore, a leaker who would rely on upcoming promos would:

  • risk guessing wrong, e.g. Humankind was not given away in the end,
  • risk missing the giveaway of Control Standard Edition,
  • risk missing games new to EGS,
  • not be able to guess the last giveaway.

Out of these three bullet-points:

  • the FR leaker only ticks the last one, so it is still possible that the FR leaker could access upcoming promos with higher permissions than the rest of the public.
  • the CN leaker does not tick any, so this rules out the upcoming promos for the CN leak.

That being said:

  • the FR leak was not posted right away with the complete list, which minimizes the risk of being wrong,
  • only the "Vanishing of Ethan Cater" was a game new to EGS and guessed by the FR leaker (only a few hours before the giveaway, when the "lantern" hint was known, but it was not an obvious hint),
  • the CN leak was only discovered on December 25, when 9 games out of 15 had already been given away, and the 10th game was known thanks to an image hint and educated guesses based on upcoming promos.
  1. Accessing the private part of the database

As mentioned in the facts about ID ce021049651345c9b0e2aa1f295f437f, there is a private database, with a namespace dedicated to the giveaway event.

If a leaker could access this database, he could read:

  • the name of the free games,
  • the corresponding days of the giveaways in the urlSlug.

Indeed, the FR leaker posted his leak on December 9, so roughly 2 days after most entries for giveaways were created. One explanation would be that he had access to the entry created on December 7 and whose urlSlug were set to 28mysterygame, etc. This way, he would know that the game given away on December 28 would be "Moving Out".

There are 2 issues with this assumption.

First, even if a leaker had access to this private database, he would have to be able to de-obfuscate the title and the productSlug. Both of these fields seem to be filled at the last moment, on the day of the giveaway.

Second, the game given away on the last day was unknown to the French leaker. Interestingly, the game is not special when it comes to the database:

  • the creation date is December 7, as for the other entries for the 15 days of free games,
  • the urlSlug is clearly indicated as 30mysterygame.

Therefore, if the French leaker could have accessed the database to read the entries for previous giveaways, then he should have been able to read this last entry. However, he claimed that he could not read this entry. This points towards another mean of obtaining his pieces of information, most likely through a human being.

Regarding the CN leak, it was obtained on December 25 or earlier, a bit before the giveaway of "Prey". Info was potentially obtained much later than the FR leak (on December 9). However, the CN is more complete, as it includes the last game given away.

This hints that both leakers might have obtained their info through different means.

Conclusion

  1. Image hints

For the general public, it is impossible to access the image hints before the dates of the public reveal of the hints.

If one of the leaks come from an image hint, then it has to be through one of the artists, advertisement agency, contractors, etc. involved in the process. This would be a human factor.

  1. Upcoming promos

The FR leak is compatible with a leak of the upcoming promos (no guess for the last giveaway), but it is not likely: there are late predictions for games absent from the store, there is a correct prediction for Control Standard Edition, etc.

The CN leak cannot come from the upcoming promos. It is impossible as the last giveaway was correctly predicted.

  1. Private database

Assuming the FR leaker says the truth, then the FR leak cannot come from an access to the private database. Otherwise, the last giveaway would have been known from the title and productSlug, as for the rest of the free games.

The CN leak is compatible with a leak of the private database. However, this event is unlikely, because of the obfuscation of the title and productSlug fields until the last moment.

  1. Human factor

Both leaks likely come from a human being.

Clone this wiki locally