Fortnite has patched a flaw in its user login process that could have enabled hackers to gain access to user accounts.
Highlights:
- Fortnite players were vulnerable to a hack that could enable an attacker to gain access to their accounts.
- The flaw existed in Epic Games’ web-domain and user login process.
Fortnite had a vulnerability that could have enabled hackers to gain access to a user’s account and spend money using their payment card details for purchasing the title’s in-game currency, V-Bucks. The flaw was discovered in Fortnite’s user login process, along with three vulnerability flaws in Epic Games’ web infrastructure that could enable a hacker to send a crafted phishing link to players from an Epic Games domain. Once clicked on, the user didn’t even need to give out their credentials as their Fortnite authentication token could be captured without them entering any login credentials. This serious flaw seems to have originated in two of Epic Games’ sub-domains that could be used to maliciously redirect a user’s legitimate authentication tokens to be snatched by an attacker from the vulnerable sub-domain. Epic Games fixed the issue after being notified by Check Point Research.
Check Point’s media release states that the flaw would have also allowed a hacker to listen-in on in-game conversations and conversations around the player in real life. However, in a statement to The Verge, Check Point said that listening in does not mean eavesdropping on the hacked player, but the hacker could present themselves as the victim and talk to the player’s friends. The three flaws found in epic Games’ web infrastructure, researchers would have been able to “demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox to steal the user’s access credentials and take over their account.”
Oded Vanunu, Head of products vulnerability research for Check Point says,”Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy. Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”
Related Read:
PUBG Mobile now rivals Fortnite with over 200 million users
Follow Us
Digit NewsDesk
Digit News Desk writes news stories across a range of topics. Getting you news updates on the latest in the world of tech. View Full Profile
