×

Massive ‘Fortnite’ Security Hole Allowed Hackers to Take Over Accounts, Eavesdrop on Chats

Updated:Fortnite” players were exposed to hackers who could control their accounts, purchase in-game items through their credit cards, and drop into in-game chats posing as the hacked player, cybersecurity firm Check Point Software Technologies discovered in November.

The company immediately alerted developer Epic Games, which tells Variety it fixed the massive security hole this month.

“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

In this particular case, the issue wasn’t related to passwords though, hackers could gain access to an account without the need for any login information. Instead, the security hole was tied to flaws found in two of Epic Games’ sub-domains that were susceptible to a malicious redirect, allowing users’ legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

Researchers outlined the process in which an attacker could have potentially gained access to a user’s account through vulnerabilities discovered in ‘Fortnite’s’ user login process. Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, and Xbox to steal the user’s access credentials and take over their account.

Popular on Variety

To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain. Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials.

If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details, according to Check Point. The vulnerability would also allow an attacker to listen to in-game chatter if they joined a match with the hacked account.

“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.  “Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.  These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”

Earlier this week, researchers noted that “Fortnite” has also become a hub for criminals looking to launder money from stolen credit cards by selling accounts for the game.

More Gaming

  • Call of Duty The Campaign

    Watch the First Episode of New Call of Duty League Docuseries 'The Campaign' (EXCLUSIVE)

    Even a new league comes with history. That’s one of the takeaways from the first episode of “The Campaign,” which follows the Chicago Huntsmen in the lead-up to Activision Blizzard’s new franchised Call of Duty League. Variety is debuting the first episode exclusively, which details some of the narrative that follows the Huntsmen (based in [...]

  • Vindex - Imax

    Imax Jumps Into Esports in Exclusive Pact With Startup Vindex

    Hold on to your popcorn: An Imax location near you could soon be beaming live competitive video-game action onto its big screens. Imax has inked a partnership with Vindex (vindex.gg), an esports infrastructure startup formed by Major League Gaming co-founders Mike Sepso and Sundance DiGiovanni, under which Vindex will create esports events and experiences exclusively [...]

  • Corinna Kopf

    Corinna Kopf Leaving Twitch to Stream Exclusively on Facebook Gaming

    The battle for gaming creators has cost Amazon’s Twitch another notable streamer: Corinna Kopf, a popular Instagram model, digital influencer and “Fortnite” Twitch streamer with millions of followers, is moving to Facebook Gaming under an exclusive agreement. On Facebook, Kopf’s first stream is scheduled to take place Dec. 30 at 4 p.m. PT at facebook.com/gaming/corinnakopff. [...]

  • Pokemon-Tower-Battle

    Facebook Launches Two Exclusive Pokémon Games

    A pair of Pokémon games is hopping exclusively to Facebook. The social network on Monday launched “Pokémon Tower Battle” and “Pokémon Medallion Battle” — the first time the Pokémon Company is bringing games based on the mini-monster franchise to the Facebook Gaming platform. “Pokémon Tower Battle” is available worldwide while “Pokémon Medallion Battle” is initially [...]

  • Littlstar Ps4 app

    Littlstar Adds Content From Whistle, New Form, Sliver.tv to VR and PlayStation Subscription Service

    UPDATED: A+E Networks-backed video aggregator Littlstar has teamed up with Whistle, New Form, esports network Sliver.tv and others to launch premium content channels for its paying subscribers. The new partnerships will bring esports and other types of short-form content to the PlayStation and VR devices supported by Littlstar. The new partnerships will give Littlstar subscribers [...]

  • Google Stadia Gets Typhoon Studios Game

    Google Buys Typhoon Studios for Its Stadia Cloud Gaming Service

    Google is looking to grow the catalog of its Stadia cloud gaming service: The search giant has acquired Montreal-based game studio Typhon Studios, and will integrate it into its Stadia Games and Entertainment studio. “We’re always looking for people who share our passion and vision for the future of gaming,” said Stadia Games and Entertainment [...]

More From Our Brands

Access exclusive content