'Fortnite' vulnerability put millions of accounts at risk

Fortnite is so big, criminals are now using it to launder stolen money

Hackers May Have Accessed Your Fortnite Account

Check Point chose to probe Fortnite's web infrastructure because of the game's massive popularity and stories involving hackers allegedly circumventing Fortnite's security methods, said Vanunu.

Well, it looks like the email leaks don't end there because new reports are showing that a major security flaw in Fortnite's security has made more than 200 million players vulnerable because it exposed their accounts.

The vulnerability was discovered "the last few weeks", writes Check Point Research, and "a fix was responsibly deployed" by Epic Games after the company was notified.

To fall victim to this attack, a player needed only to click on a crafted phishing link - one typically created to look like it was coming from an Epic Games domain. Once the user authenticates into Fortnite, the login page redirects to the attacker's page, which asks the SSO provider for the access token.

Although there was no word from Epic Games as to how many players could have been affected, tens of millions of people play the game monthly. Once the player clicks on a phishing link from an Epic Games domain, his/her Fortnite authentication token could be collected by the attackers without the user's login credentials.

The vulnerability was actually a combination of several bugs in different parts of the Epic Games infrastructure, some of them not even Fortnite-related.

Fortnite has also accrued a massive fanbase around the world thanks to its availability, with the game expanding to new platforms throughout 2018 like the Nintendo Switch and Android mobile devices.

According to Check Point's researchers, the potential vulnerability originated from flaws found in two of Epic Games' sub-domains that were susceptible to a malicious redirect, allowing users' legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

According to The Verge, hackers who used this exploit would buy Fortnite's in-game currency (V-Bucks) using the hijacked accounts, gift those V-Bucks to another account, and then sell the V-Bucks at a discounted rate to other players on the dark web. These flaws provided the ability for a massive invasion of privacy...

Players can purchase the digitally generated V-bucks or earn them by successfully completing missions, and those V-bucks can then be used to purchase digital costumes, weapons and other items used to build shelters in the game and fend off attacks by other players and zombies characters.

This enabled hackers to gain access to an account without requiring a password.

Vanunu explained that cybersecurity vulnerabilities like the one Check Point highlighted are becoming increasingly common as apps become more complex.

Latest News