IE 11 is not supported. For an optimal experience visit our site on another browser.

Massive 'Fortnite' security hole allowed hackers to take over accounts, eavesdrop on chats

To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain.
Image: Game enthusiasts and industry personnel visit the 'Fortnite' exhibit
Game enthusiasts and industry personnel visit the 'Fortnite' exhibit during the Electronic Entertainment Expo E3 at the Los Angeles Convention Center on June 12, 2018 in Los Angeles.Christian Petersen / Getty Images file

LOS ANGELES — "Fortnite" players were exposed to hackers who could control their accounts, purchase in-game items through their credit cards, and drop into in-game chats posing as the hacked player, cybersecurity firm Check Point Software Technologies discovered in November.

The company immediately alerted developer Epic Games, which tells Variety it fixed the massive security hole this month.

"We were made aware of the vulnerabilities and they were soon addressed," a spokesperson said. "We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

In this particular case, the issue wasn't related to passwords though, hackers could gain access to an account without the need for any login information. Instead, the security hole was tied to flaws found in two of Epic Games' sub-domains that were susceptible to a malicious redirect, allowing users' legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

Researchers outlined the process in which an attacker could have potentially gained access to a user's account through vulnerabilities discovered in 'Fortnite's' user login process. Due to three vulnerability flaws found in Epic Games' web infrastructure, researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, and Xbox to steal the user's access credentials and take over their account.

To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain. Once clicked, the user's Fortnite authentication token could be captured by the attacker without the user entering any login credentials.

If exploited, the vulnerability would have given an attacker full access to a user's account and their personal information as well as enabling them to purchase virtual in-game currency using the victim's payment card details, according to Check Point. The vulnerability would also allow an attacker to listen to in-game chatter if they joined a match with the hacked account.

"Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy," said Oded Vanunu, head of products vulnerability research for Check Point. "Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability."

Earlier this week, researchers noted that "Fortnite" has also become a hub for criminals looking to launder money from stolen credit cards by selling accounts for the game.