By the end of March, things were looking good for the group video chat app Houseparty as quarantined young people, perhaps put off by Zoom’s relentless security failures, were looking for a less corporate-seeming platform to keep in touch with friends and family. Vogue gushed that it was “the quarantine app you need to download immediately,” as daily downloads for the Epic Games-owned app approached 150,000 on Apple’s App Store.
But very quickly, things got weird. One by one, users started claiming on social media that after downloading the popular app, they had found bizarre purchases on their bank statements, or that their email had been hacked. “Everyone delete the houseparty app now,” one tweet reads, “hacked into my account and spent money on Bet365, Dominos and Porn Hub Premium, absolutely devastated.”
Epic Games responded forcefully and unusually, alleging that these rumors amounted to a paid commercial smear to harm Houseparty, announcing on their Twitter account, that a million-dollar bounty was being offered to “the first individual to provide proof of such a campaign.”
With no hard evidence to corroborate the hacking rumors, the media largely forgot about this bizarre episode. However, a new report by Zach Edwards, the founder of the analytics firm Victory Medium, may shed some light on what actually occurred. The report alleges that rather than corporate sabotage, the hacks were of Houseparty’s own making—negligence that resulted in a vulnerability that left hundreds of thousands of people exposed to scammers trying to harvest credentials and credit card information.
In a detailed post on Medium, Edwards tells the story of a global hacking group that allegedly commandeered dozens of domain names belonging to Houseparty, using them to host dozens of malicious PDF files, that, if visited, would redirect unsuspecting Houseparty users to fake services that attempted to extract their credit card information and credentials.
According to Edwards, Epic Games played down the presence of the malicious PDFs found behind their subdomains, claiming that Edwards’s concerns were purely “theoretical.” Yet, there is no question that these dozens of malicious PDFs existed, still appearing in cached Google Search results for anyone with an internet connection to find.
Edwards submitted his findings through Epic Games’ HackerOne bug bounty program. In response, Edwards said, the company denied that “our environment was compromised.” Instead, the company said, according to Edwards, that “that the subdomains in question were pointing to abandoned DNS records, which in turn were automatically inherited by a third-party which was hosting eBooks.” In other words, because the company was no longer using the IP addresses the scammers hijacked, it wasn’t really Houseparty’s problem—and not a “targeted compromise,” as the company reportedly put it.
Gizmodo reached out to Houseparty and did not receive a comment before publication. However, a spokesperson told the Register, “The world trusts Houseparty to connect them when they need it most and we won’t let them down. We received the individual’s correspondence attempting to claim the bounty and thoroughly reviewed it to confirm that it was not founded. The individual has not provided a proof of concept for his theoretical bug, which is required by all bug bounty programs. The Houseparty app is safe for use on any mobile device and is protected by industry trusted encryption, so your data and your experience are protected.”
The scheme employed by the hackers is known as subdomain hijacking—and in theory, it worked like this: At some point, Houseparty registered dozens of subdomains ( eg; subdomain.thehousepartyapp.com ), likely for internal use, to host some kind of mundane web-based services. While the services were in operation, the subdomains were registered to the IP addresses of virtual servers that Epic Games leased from a hosting provider. Once Houseparty no longer needed these services, they stopped leasing space on this virtual server. However, because their subdomain continued to be tied to this now-liberated IP address, hackers were able to opportunistically seize it for their own purposes, in this case hosting malicious PDFs meant to entice users to sign up for fake services with their credit cards, according to Edwards.
The network of sites that Houseparty users could have been redirected to were largely websites promising “Free Media / Downloads / Books / Movies etc,” according to Edwards. Their design and copy, though quite basic, could easily have fooled less technologically savvy Houseparty users, who perhaps while looking for an e-book, stumbled upon these seemingly Houseparty-affiliated sites.
Edwards refers to the group responsible for the hack as the “Pickaflick.com Crew,” prolific credit card scammers associated with more than 8,400 sabotaged PDFs across the internet.
Edwards claims that once he notified Epic Games of the vulnerability, they promptly deprovisioned the hijacked subdomains, telling him that they were “implementing further tooling to address retired subdomains,” stressing, again, that the subdomains in question were not hosting Epic Game’s content. Even still, it appears that as these hacking allegations were circulating, dozens of Houseparty’s subdomains were linked to servers that the company didn’t control, leaving unsuspecting users vulnerable to credit card theft.
In response to this story a spokesperson from Houseparty sent Gizmodo this statement: “We recently received a correspondence attempting to claim a bounty on an alleged exploitation of a website associated with Houseparty. The report was not made in accordance with responsible disclosure rules as defined on HackerOne here, so the originator was ineligible for a bounty. We immediately investigated the claim and determined there was no evidence users had been harmed. At the time, we were already engaged in an independent security review with the cyber security experts at FTI Consulting and Yonder. To date, none of the internal or independent investigative work has uncovered evidence of exploitation of our network or platforms. Houseparty is guarded by industry trusted encryption, so your data and your experience are protected.”
Updated at 4:45 to include a statement from Houseparty.