×
You will be redirected back to your article in seconds

Massive ‘Fortnite’ Security Hole Allowed Hackers to Take Over Accounts, Eavesdrop on Chats

Updated:Fortnite” players were exposed to hackers who could control their accounts, purchase in-game items through their credit cards, and drop into in-game chats posing as the hacked player, cybersecurity firm Check Point Software Technologies discovered in November.

The company immediately alerted developer Epic Games, which tells Variety it fixed the massive security hole this month.

“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

In this particular case, the issue wasn’t related to passwords though, hackers could gain access to an account without the need for any login information. Instead, the security hole was tied to flaws found in two of Epic Games’ sub-domains that were susceptible to a malicious redirect, allowing users’ legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

Researchers outlined the process in which an attacker could have potentially gained access to a user’s account through vulnerabilities discovered in ‘Fortnite’s’ user login process. Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, and Xbox to steal the user’s access credentials and take over their account.

To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain. Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials.

If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details, according to Check Point. The vulnerability would also allow an attacker to listen to in-game chatter if they joined a match with the hacked account.

“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.  “Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.  These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”

Earlier this week, researchers noted that “Fortnite” has also become a hub for criminals looking to launder money from stolen credit cards by selling accounts for the game.

More Gaming

  • GTA Online

    America's Biggest Labor Federation Asks Game Developers to Unionize

    A leading figure from America’s biggest labor organization penned an open letter to game developers encouraging unionization across the games industry. AFL-CIO secretary-treasurer Liz Shuler took to Kotaku with a post that asks workers in the games industry to fight for adequate pay, sensible work hours, and against toxic work conditions. “We’ve heard the painful [...]

  • Take on the Demogorgon in 'Stranger

    Take on the Demogorgon in 'Stranger Things' Dungeons and Dragons Set

    Hasbro will release a “Stranger Things” inspired Dungeons & Dragons starter set this spring, according to a press release. The starter kit has everything players need to start playing Dungeons & Dragons: A “Stranger Things” adventure book, a rulebook, five character sheets, six dice, a Demogorgon figure, and an additional, paintable Demogorgon figure. The starter kit will [...]

  • Tencent Wants to Bring 'Apex Legends'

    Tencent Wants to Bring 'Apex Legends' to China (Report)

    Tencent Holdings is in talks with Electronic Arts to distribute the publishers’ “Apex Legends” in China as of Friday, according to a “person with direct knowledge of the matter” the South China Morning Post reported. Tencent, video game industry giant, already distributes top battle royale games “Fortnite” and “PlayerUnknown’s Battlegrounds” in China. While Tencent is [...]

  • Pokemon Go

    Proposed 'Pokémon Go' Lawsuit Settlement May Remove Poké Stops, Gyms

    A proposed settlement in the class action lawsuit against “Pokémon Go” developer Niantic could remove or change a number of Poké Stops and Gyms in the popular augmented reality game. The proposed settlement was filed in a California court on Thursday and applies to anyone in the U.S. who owns or leases property within 100 meters [...]

  • 'Minecraft' Mobile Just Had Its Best

    'Minecraft' Mobile Just Had Its Best Year Yet

    Last year was the most profitable year to date for the mobile versions of “Minecraft,” according to a report from Sensor Tower. “Minecraft” on the App Store and on the Google Play store pulled in $110 million through both purchase price of the app as well as in-app purchases. This is a 7% growth from [...]

  • 'Bayonetta 2' Director Leaves Platinum Games

    'Bayonetta 2' Director Leaves Platinum Games After 13 Years

    “Bayonetta 2” game director and “Bayonetta” producer Yusuke Hashimoto is leaving Platinum Games after 13 years, he announced in a tweet on Thursday. “This tweet will be a little more personal than usual. Yesterday, January 31st, was my last day at PlatinumGames,” he said. “The memories I made during my 13 years at Platinum, working [...]

  • AFV

    'Fresh Prince' Actor Denied Dance Copyright in 'Fortnite,' 'NBA 2K16' Lawsuits

    “The Fresh Prince of Bel-Air” star Alfonso Ribeiro has been denied a copyright for the “Carlton” dance, which is the focus of lawsuits the actor recently filed against “Fortnite” developer Epic Games and “NBA 2K16” publisher Take-Two Interactive, The Associated Press reported on Thursday. The denial from the U.S. Copyright Office was revealed on Wednesday [...]

More From Our Brands

Access exclusive content