X
Tech

Fortnite security issue would have granted hackers access to accounts

Check Point recommends that Fortnite players enable two-factor authentication (2FA) for their accounts.
Written by Catalin Cimpanu, Contributor
Fortnite hacked
Image: Check Point

Epic Games, the makers of the insanely popular Fortnite game have silently patched a vulnerability on their infrastructure that would have allowed hackers to gain access to users' accounts with incredible ease.

The vulnerability was found by security researchers from Israeli cyber-security firm Check Point, who reported the issue privately to the game maker last year.

"We reported on early November, and we noticed it was fixed on End of November," Oded Vanunu, one of the Check Point security researchers told ZDNet via email.

"They didn't communicate with us [an] ETA or any progress of the fixes," he added, in regards to the company's response to the bug report.

The vulnerability was actually a combination of several bugs in different parts of the Epic Games infrastructure, some of them not even Fortnite-related.

A successful attack would have relied on users clicking on a malformed Epic Games login link, however, the link's format wouldn't have raised many issues with less technical users, who would have been unable to spot the malformed parameters.

The attack worked mainly because the Check Point team identified a way to hijack the SSO (single-sign-on) token that is exchanged between SSO providers like Facebook, Google, PlayStation, Xbox, or Nintendo, and the Epic Games server.

Researchers hijacked the login process and redirected the user to another Epic Games server (for showing Unreal Tournament 2004 stats), where they exploited a cross-site scripting (XSS) vulnerability to record the SSO token, the part they would have needed to hijack a user's account, researchers explained in a report that will be released later today.

Fortnite hack exploit chain
Image: Check Point

When ZDNet asked Vanunu about the exploit's complexity, the researcher said the attack would have been easy to pull off.

"Not advanced at all, very simple to execute in the background," Vanunu told us. "Token stealing is one of the emerging attack vectors....everyone is out for the authentication tokens & exploiting application logic."

"Cyber crime organizations are powerful as states, and there is a lot of money with Fortnite game logic," Vanunu said. "There are many scams & exploitation out there that already been published. As far as I know, no one already showed example of real exploitation flow. We are here to prove & raise awareness since most of the players are kids!"

Vanunu's warning regarding an increase in Fortnite-related cybercrime activity is warranted. In June 2018, it was reported that over nine million Fortnite accounts had been hacked.

Fortnite's in-game currency V-Bucks has been known to be used to launder real-world money for cyber-criminals, continuing a well-known industry trend. And it's not just cyber-criminal organizations. Teenagers are taking their firsts on the hacking scene by stealing each others' accounts.

In many cases, cyber-criminals don't even bother with hacking Fortnite accounts, as all they want is players' money. Fortnite-related scams are just as prevalent, with crooks luring users into buying fake Fortnite-related artifacts or in-game currency.

A ZeroFOX report published in October 2018 revealed that the company detected roughly 53,000 Fortnite scams over the course of the previous month.

As for Check Point's bug report, Vanunu said the game maker, which banked a $3 billion profit last year, didn't offer a bug bounty reward, but the research team wasn't interested anyway.

"This is not our goal," the researcher told ZDNet. "For example our last publication with DJI they offered us around 5K$ reward that we didn't take."

Fortnite, the game, has an estimated userbase count of nearly 125 million gamers. The game is responsible for half of Epic Games' estimated value.

How to discover and destroy spyware on your smartphone (in pictures)

More cybersecurity news:

Editorial standards