Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Vulnerability Puts Millions of Fortnite Players at Risk, Check Point Finds

Epic Games, the developer of Fortnite, fixed vulnerabilities in its web infrastructure that researchers said exposed the sensitive information of users of the wildly popular online game.

Check Point Software researchers discovered vulnerabilities in the hugely popular online game Fortnite that could have put the sensitive information of the almost 80 million users around the globe at risk.

Through the vulnerabilities, attackers could have stolen the usernames and passwords, which would have given them access to a vast amount of information stored in the accounts, enabled them to listen to and record conversations during the games, hear surrounding sounds and chatter within a user's home or wherever they were playing from, access users' in-game contacts and buy V-Bucks, the currency used in the game.

Check Point researchers notified Fortnite's developer, Epic Games, about the vulnerabilities in the company's web platform and they have since been fixed, according to Check Point and Epic. Epic officials in a statement noted: "...we were made aware of the vulnerabilities and they were soon addressed … As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

(Source: Epic Games)
(Source: Epic Games)

There's no indication that the vulnerabilities were used to attack Fortnite gamers, but they represented a significant threat given the massive numbers of people -- many of them children, though some of them are professional gamers -- who play the game. It's used on all the top game consoles, including Microsoft's Xbox One, Nintendo Switch and Sony's PlayStation 4, and is available on the Android and Apple iOS mobile platforms and on PCs through Microsoft Windows.

Given the runaway popularity, Fortnite players have been targeted in the past, including through campaigns aimed at enticing users to log into fake websites that have offered the ability to run the game on some unsupported mobile platforms or to generate V-Bucks. Last year some Fortnite players found their game accounts had been breached and that bad actors had rung up hundreds of dollars in purchases. (See Fortnite Players Lob Shots at Epic Games Over Hacked Accounts.)

In their report, "Hacking Fortnite Accounts," Check Point researchers noted that the popularity of Fortnite has translated into a lot of money for Epic, with the game generating almost half of the company's $5 billion to $8 billion of estimated value.

"With such a meteoric rise in fortune, it is no surprise then that the game had already attracted the attention from cyber criminals who set out to con unsuspecting players," they wrote.

Eran Vaknin, security expert at Check Point, also noted the global popularity of the game when talking about the latest vulnerabilities found by his company.

"Fortnite is the biggest online social game created in the wild, so the vulnerability exposes [all of its] users and this is the big picture," Vaknin told Security Now in an email. "The account takeover vulnerability is unique since we didn't see any report mentioned. It has happened in the past for Epic Games. The attack is seamless to the victim [and] everything is happening automatically behind the scenes."

He added that the researchers "treat Fortnite … as an infrastructure for people to collaborate together in kind of a social network, so I think that our vulnerabilities affect the same risk level of a business attack."

Unlike other attacks, the vulnerabilities found by Check Point analysts would have needed only for a gamer to click on a phishing link that appeared to be coming from an Epic Games domain.

If the gamer clicked on the link, the attacker would be able to grab the user's Fortnite authentication token without the user having to enter login credentials. The researchers found three flaws in Epic's web infrastructure that would have enabled attackers to steal user access credentials via the token-based authentication process used with Single Sign-On (SSO) systems like Facebook, Google and Xbox.

With these credentials, the bad actors could take over users' accounts.

The researchers showed that flaws in two of Epic's sub-domains were vulnerable to malicious redirects, which would have enabled hackers to grab users' legitimate authentication tokens from the compromised sub-domain through a cross-site scripting (XSS) attack.

Because of the amount of private data -- such as credit card numbers -- that are in users' accounts, Fortnite is "very attractive and valuable target on all of the platforms," Vaknin said.

There are several ways for users and organizations to protect themselves against such attacks, the researchers note. Gamers should always question the legitimacy of links they see on user forums and websites and use two-factor authentication. Parents should educate their children about cybersecurity and organizations need to ensure that their infrastructure's security is up to date.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
PUBLISHED: 2021-03-04
On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200, portions of the drive containing executable code were not encrypted thus leaving it open to potential cryptographic information disclosure.
PUBLISHED: 2021-03-04
Missing permission check in knox_custom service prior to SMR Mar-2021 Release 1 allows attackers to gain access to device's serial number without permission.
PUBLISHED: 2021-03-04
Graphic format mismatch while converting video format in hwcomposer prior to SMR Mar-2021 Release 1 results in kernel panic due to unsupported format.
PUBLISHED: 2021-03-04
A possible arbitrary memory overwrite vulnerabilities in quram library version prior to SMR Jan-2021 Release 1 allow arbitrary code execution.