neobotnet / blog / company-of-the-week
company of the week·7 min read

company of the week: epic games

Epic Games is Fortnite and Unreal Engine. Its bug bounty scope is neither — it's a museum of nearly everything Epic ever bought, with each acquisition still flying its own root domain. Epic runs a public bounty on HackerOne, which puts that whole estate in scope for outside research.

neobotnet was pointed at it. What follows isn't an exploit — it's the shortlist a researcher would build before trying one. The full index is in /urls. Three things stand out: the login flow Epic publishes in full, the tokens that ride in it, and a handful of emails sitting in plain URLs.

34
in-scope roots
3,307
dns resolved
423
live web servers
116
technologies
133,376
urls indexed

read from dns: a museum of acquisitions

Thirty-four root domains, and you can read Epic's acquisition history straight off them. They aren't one company's domains — they're roughly fifteen companies Epic bought, each keeping its own name and its own root:

acquisitionroot domainwhat epic gotyear
Easy Anti-Cheateasy.ackernel-level anti-cheat2018
3Lateral3lateral.comdigital humans → MetaHuman2019
Psyonixrocketleague.comRocket League2019
Quixelquixel.comMegascans asset library2019
Cubic Motioncubicmotion.comfacial animation → MetaHuman2020
ArtStationartstation.comartist portfolio network2021
Sketchfabsketchfab.com3D-model marketplace2021
Harmonixharmonixmusic.commusic / Fortnite Festival2021
Mediatonicfallguys.comFall Guys2021

Two more roots tell the opposite story. Bandcamp (sold to Songtradr in 2023) and SuperAwesome (a management buyout completed in early 2024) are companies Epic has already divested — yet they still resolve, still carry Epic-era links, and still sit in the scope list. The estate you inherit isn't always the estate you own. The interesting surface, though, is the part Epic still runs — and it sorts into three exposures.

read from http: how epic answers the door

Of 423 live web servers, the single most common thing they serve is a login. Most of the estate sits behind a sign-in page of one kind or another. Here's the identity surface as a tree — who gates what:

epicgames public web  ·  423 live hosts  ·  what answers the door
│
├─ login wall  (most of the estate)
│  ├─ Cloudflare Access — zero-trust gate ......... 27 hosts
│  ├─ Epic Games SSO   (accounts.epicgames.com) ... 19 hosts
│  ├─ Google Workspace (corp sign-in) ............. 17 hosts
│  └─ Atlassian        (jira / confluence) ......... 7 hosts
│
└─ acquired logins  (separate identity stacks)
   ├─ Unreal Academy   — Totara LMS  (unrealengine.com)
   ├─ Harmonix ↔ Epic  — account linking
   └─ Easy Anti-Cheat  — ban-lookup api

The login wall is the good news: Cloudflare Access, Epic's own SSO, and Google Workspace front the bulk of the estate, and most internal tools sit behind one of them. What's left of interest is the bottom branch — each acquired company kept its own login. unrealengine.com runs an Unreal Academy learning site on Totara (a Moodle-family LMS), there's a Harmonix-to-Epic account-linking service, and Easy Anti-Cheat exposes a ban-lookup API. Each is a separate identity stack on older software with its own patch cadence — and the further a login sits from Epic's own SSO, the older the code behind it tends to be.

read from the urls: epic's whole login, in the open

The URL corpus is where the login wall stops being a wall. Every parameter is classified against a signal taxonomy, and on Epic the standout isn't a leaked secret — it's that Epic's entire OAuth2 / OIDC login flow is legible in the index, one captured parameter at a time:

  • /id/authorize?client_id=…&redirect_uri=…&response_type=…&scope=…&state=… — the standard handshake, on epicgames.com, unrealengine.com, and fortnite.com alike (one identity service, id.epicgames.com, behind all three).
  • /exchange?exchangeCode=… — the code-for-token exchange step.
  • /id/api/sso?sid=…/id/api/set-sid — the session propagated cross-domain onto fortnite.com and twinmotion.com.
  • /id/link/google/new, /id/link/facebook/new, rocketleague.com/signin-steam — external identity-provider linking, and unrealengine.com/id/login/mfa for the second factor.

You can map how Epic authenticates without sending it a single request — which is exactly the point. neobotnet hands a researcher the auth surface pre-drawn, and the flow names its own test targets: the redirect_uri and redirectUrl validation across every entry point (336 redirectUrl occurrences on epicgames.com alone), the exchangeCode handling, and the cross-domain set-sid that writes a session onto a sibling brand.

One thing you'll see opening any of these: almost every row answers 403. That's Epic's Cloudflare bot-management turning away anything that looks like a crawler — a good defense, working as intended. It blocks the request without un-logging the URL, so what follows are captured request shapes, not live responses.

study the login flow in /urls →

epic's oauth / sso login parameters captured in /urls

The tokens that ride along. Eight account-verification links carry a JSON Web Token in a token= parameter, on epicgames.com/help/*/account-verification. A JWT's payload is signed, not encrypted, so neobotnet decodes it: HS256, carrying a deviceId and a Zendesk ticketNumber — Epic's "confirm it's you" support flow, with the support-ticket id riding in the URL. No name or email in the payload, and all eight return 403 today. The lesson isn't these dead tokens; it's that a token tied to a support ticket travels in a URL, where it lands in CDN logs, browser history, and the Referer header.

see the jwts in /urls →

account-verification jwts in token= parameters on epicgames.com, in /urls

The emails in plain sight. A small set of URLs carry an email address outright: epicgames.com/verifyAccount?data=… embeds one in the account-verification link, and two marketing pages (/page/confirm?email=… and a Division 2 free-title thank-you page) carry an email= parameter. Five URLs, all gated now — but an email in a query string is PII in every log the request touches.

see the email parameters in /urls →

email addresses sitting in url parameters on epicgames.com verification and marketing pages, in /urls

One signal walked back: the 706 "open-redirect candidates" are all first-partysketchfab to sketchfab, fortnite to Epic's own CDN. Worth testing the redirect params for the one validation gap, but on this data it's a shape, not a finding.

what it adds up to

Epic's core is well-built: a Cloudflare zero-trust front, a bot-management layer that 403s most of the crawl, and a URL corpus with no cloud keys and effectively no secrets. What's exposed is narrow and specific, and ranks like this for anyone working the program:

  1. the centralized SSO surface — every flow (authorize, exchange, cross-domain set-sid, social linking) is legible, so redirect_uri validation and the code-exchange step are the first things to test.
  2. the acquired logins on older stacks — the Totara LMS and the Easy Anti-Cheat ban API are separate identity systems on separate code, the kind of inherited software where a known issue outlives the acquisition.
  3. tokens and emails in verification URLs — dead today, but the pattern outlives the tokens and addresses that prove it.

Two things stated plainly, the way this series always closes. Every item above is a signal, not a confirmed vulnerability — neobotnet surfaces the shape; confirming exploitability is the researcher's job. And the right destination for anything live is Epic's HackerOne program, not a blog post.

next week

neobotnet runs the same pass on a different in-scope program every week. Subscribe via RSS or browse the company of the week archive.

share on x share on hn share on linkedin rss

spotted something interesting or wrong? sam@neobotnet.com.