×

Massive ‘Fortnite’ Security Hole Allowed Hackers to Take Over Accounts, Eavesdrop on Chats

Updated:Fortnite” players were exposed to hackers who could control their accounts, purchase in-game items through their credit cards, and drop into in-game chats posing as the hacked player, cybersecurity firm Check Point Software Technologies discovered in November.

The company immediately alerted developer Epic Games, which tells Variety it fixed the massive security hole this month.

“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

In this particular case, the issue wasn’t related to passwords though, hackers could gain access to an account without the need for any login information. Instead, the security hole was tied to flaws found in two of Epic Games’ sub-domains that were susceptible to a malicious redirect, allowing users’ legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

Researchers outlined the process in which an attacker could have potentially gained access to a user’s account through vulnerabilities discovered in ‘Fortnite’s’ user login process. Due to three vulnerability flaws found in Epic Games’ web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, and Xbox to steal the user’s access credentials and take over their account.

To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain. Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials.

If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details, according to Check Point. The vulnerability would also allow an attacker to listen to in-game chatter if they joined a match with the hacked account.

“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.  “Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.  These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”

Earlier this week, researchers noted that “Fortnite” has also become a hub for criminals looking to launder money from stolen credit cards by selling accounts for the game.

More Gaming

  • Echo Fox Owner Rick Fox to

    Echo Fox Owner Rick Fox to Leave Organization Over Racism (Report)

    Actor and former Los Angeles Lakers player Rick Fox is leaving Echo Fox, the esports organization he currently owns, after a shareholder allegedly used racist language in an email exchange, according to Dexerto. In an email to all major stakeholders sent on Apr. 19, Fox said he intends to leave the organization as soon as [...]

  • ‘Peaky Blinders’ Virtual Reality Game in

    ‘Peaky Blinders’ Virtual Reality Game Will Pitch Players Into the Action

    “Peaky Blinders” fans will be able to join the gang – virtually – in a new VR game that will allow players to interact with characters from the hit series. Start-up immersive studio Maze Theory teamed with the show’s producers and is making the game, which will launch in 2020. Artificial intelligence technology means characters [...]

  • 'Persona 5 Scramble: The Phantom Strikers'

    'Persona 5 Scramble: The Phantom Strikers' Coming to Nintendo Switch and PS4

    “Persona 5 Scramble: The Phantom Strikers” is the next title in the long-running series from Atlas and Koei Tecmo, which re-imagines “Persona 5” as a “Dynasty Warriors”-style beat-’em-up for Nintendo Switch and PlayStation 4. The game was announced on Thursday in a teaser trailer which showed protagonist Joker battling alongside his persona at the famed [...]

  • 'Farming Simulator 19' Boosts Focus Home

    'Farming Simulator 19' Boosts Focus Home Interactive Financial Results

    “Farming Simulator 19” played a significant role in lifting publisher Focus Home Interactive’s 2018-2019 financial results, with over two million copies sold in since last January. The game publisher released its financial results on Thursday, showing a strong Q4 (from January 2019 through to March) with quarterly revenue up $16 million and growth of 134% [...]

  • Magic Leap Donates 500 Headsets to

    Magic Leap Donates 500 Headsets to Epic Games' MegaGrants Initiative

    Magic Leap is donating 500 Magic Leap One Creator Edition headsets for Unreal Engine development via Epic Games’ MegaGrants program, it announced on Thursday during Unreal Engine Build: Detroit ’19. Under the MegaGrants program, developers can apply to receive a Magic Leap One device, free of charge, by filling out an online submission. There is [...]

  • Respawn: We're 100% Committed to Long-Term

    Respawn: We're 100% Committed to Long-Term Growth of 'Apex Legends'

    Developer Respawn Entertainment said it’s “100% committed to the long-term growth” of its new battle royale game “Apex Legends” in an open letter to the community on Thursday, even as it admitted the title’s rapid growth left the team some clear challenges. “To say that the launch of ‘Apex Legends’ exceeded our expectations would be [...]

  • Mixer Introduces AI-Powered Mixer Loot Feature

    Mixer Introduces AI-Powered Mixer Loot Feature

    Mixer is introducing a Mixer Loot, an AI-powered rewards experience in which Mixer users can earn in-game content by catching Mixer streams. Mixer Loot is a new way for viewers to earn content while watching their favorite streamers. It utilizes the same kind of AI-powered tech as HypeZone to scan streams on the platform and [...]

More From Our Brands

Access exclusive content