Israeli Researchers Discover Fortnite Flaw That Lets Hackers Take Over Accounts
Israeli researchers at Check Point Software Technologies Ltd., a leading cybersecurity provider, uncovered a number of vulnerabilities in the hugely popular online game Fortnite, by video game developer Epic Games, that would have potentially allowed hackers to access gaming accounts, data, and in-game currency, and even listen in on conversations.
The vulnerabilities have since been fixed, Epic Games indicated.
More than 80 million people worldwide play the immensely popular survival game, available on many gaming platforms (Android, iOS, PC via Microsoft Windows and consoles such as Xbox One and PlayStation 4), according to Business Insider.
In a detailed post published this week, the Israeli researchers said the security flaws “could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency, and eavesdrop on and record players’ in-game chatter and background home conversations.”
The researchers detailed previous efforts by hackers to trick players into revealing their information by “logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency, a commodity that can usually only be acquired through the official Fortnite store or by earning them in the game itself.”
But the newly uncovered flaws could have been exploited without the players handing over any login details or personal information like names, addresses, and credit card details.
Instead, the attacker could gain access to a user’s account through vulnerabilities in Fortnite’s user login process itself, the researchers said, uncovering flaws in the game’s web infrastructure.
“[The] researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, and Xbox to steal the user’s access credentials and take over their account,” Check Point said in a statement.
“To fall victim to this attack, a player needs only to click on a crafted phishing link coming from an Epic Games domain…[after which] the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials.”
According to Check Point’s researchers, the potential vulnerability originated from flaws found in two of Epic Games’ sub-domains that were susceptible to a malicious redirect, allowing users’ legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain, Check Point said.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point. “Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”