×

Massive ‘Fortnite’ Security Hole Allowed Hackers to Take Over Accounts, Eavesdrop on Chats

Updated:Fortnite” players were exposed to hackers who could control their accounts, purchase in-game items through their credit cards, and drop into in-game chats posing as the hacked player, cybersecurity firm Check Point Software Technologies discovered in November.

The company immediately alerted developer Epic Games, which tells Variety it fixed the massive security hole this month.

“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

In this particular case, the issue wasn’t related to passwords though, hackers could gain access to an account without the need for any login information. Instead, the security hole was tied to flaws found in two of Epic Games’ sub-domains that were susceptible to a malicious redirect, allowing users’ legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

Researchers outlined the process in which an attacker could have potentially gained access to a user’s account through vulnerabilities discovered in ‘Fortnite’s’ user login process. Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, and Xbox to steal the user’s access credentials and take over their account.

To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain. Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials.

If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details, according to Check Point. The vulnerability would also allow an attacker to listen to in-game chatter if they joined a match with the hacked account.

“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.  “Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.  These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”

Earlier this week, researchers noted that “Fortnite” has also become a hub for criminals looking to launder money from stolen credit cards by selling accounts for the game.

More Gaming

  • Frank Pearce - Blizzard Entertainment

    Blizzard Co-Founder Frank Pearce Exits After 28 Years

    Frank Pearce, one of the three co-founders of game developer Blizzard Entertainment, is leaving the company. The announcement of Pearce’s exit comes less than a year after president Michael Morhaime, another Blizzard co-founder, left the company. J. Allen Brack, executive producer of “World of Warcraft,” took over the position as president of Blizzard. “The time [...]

  • Fortnite Battle Royale

    How 'Fortnite' Fans Can Earn Loot by Watching YouTube Videos

    Epic Games and YouTube have teamed up with a special offer for “Fortnite” players — giving players of the popular battle-royale game rewards when they watch “Fortnite”-premiered content on the video platform. The catch: You have to watch at least 20 minutes of “Fortnite” special content or live esports broadcasts to receive the loot. Under [...]

  • Google Stadia Pro to Include 1

    Google’s Stadia Game Streaming Service to Include Free Monthly Game

    Google has been busy sharing additional details about its upcoming game streaming service Stadia, clearing up some confusion in the process. Stadia’s pro subscription tier, which will cost $10 per month, won’t be a Netflix-type subscription service. However, subscribers will get free games at the rate of about a title per month. That’s according to [...]

  • The Lion King

    'Lion King' VFX Supervisor Rob Legato to Keynote at the 2019 View Conference

    Rob Legato, visual effects supervisor of “The Lion King,” “The Addams Family” co-director Conrad Vernon and Baobab Studios’ co-founder and chief creative officer Eric Darnell, director of the VR studio’s Emmy- and Annie-winning VR short “Crow: The Legend,” are rounding out the keynote speakers at this fall’s 20th edition of the View Conference in Turin, [...]

  • Nintendo Switch

    Nintendo Releases Updated Switch With Better Battery

    Nintendo just refreshed its wildly successful Switch game console, but the company isn’t giving existing Switch owners many reasons to upgrade: The renewed game console comes with a better battery that guarantees up to 9 hours of game play, while otherwise sticking with the same design and features of the original Switch. The new model [...]

  • Spotify logo is presented on a

    U.S. Consumers to Spend $26 Billion on Music, Video Subscriptions This Year

    U.S. consumers are expected to spend a combined $26 billion on music and video subscription services this year, according to new estimates from the Consumer Technology Association. That’s up from $20.4 billion in 2018, and nearly twice the amount spent on such services in 2017. Propelled by the continued success of Apple Music and Spotify, [...]

  • Gears 5 - Xbox Game Studios

    'Gears 5' Will Exclude Smoking Depictions After Concerns Raised by Youth Anti-Tobacco Org (EXCLUSIVE)

    “Gears 5,” the forthcoming installment in the “Gears of Wars” third-person shooter game franchise, will be a smoke-free establishment. The game, set for Sept. 10 release, comes from Xbox Game Studios and game developer The Coalition. The decision to remove all smoking references from “Gears 5” came after not-for-profit anti-smoking organization Truth Initiative approached Turner, [...]

More From Our Brands

Access exclusive content