Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

1/18/2019
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Vulnerability Puts Millions of Fortnite Players at Risk, Check Point Finds

Epic Games, the developer of Fortnite, fixed vulnerabilities in its web infrastructure that researchers said exposed the sensitive information of users of the wildly popular online game.

Check Point Software researchers discovered vulnerabilities in the hugely popular online game Fortnite that could have put the sensitive information of the almost 80 million users around the globe at risk.

Through the vulnerabilities, attackers could have stolen the usernames and passwords, which would have given them access to a vast amount of information stored in the accounts, enabled them to listen to and record conversations during the games, hear surrounding sounds and chatter within a user's home or wherever they were playing from, access users' in-game contacts and buy V-Bucks, the currency used in the game.

Check Point researchers notified Fortnite's developer, Epic Games, about the vulnerabilities in the company's web platform and they have since been fixed, according to Check Point and Epic. Epic officials in a statement noted: "...we were made aware of the vulnerabilities and they were soon addressed … As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

There's no indication that the vulnerabilities were used to attack Fortnite gamers, but they represented a significant threat given the massive numbers of people -- many of them children, though some of them are professional gamers -- who play the game. It's used on all the top game consoles, including Microsoft's Xbox One, Nintendo Switch and Sony's PlayStation 4, and is available on the Android and Apple iOS mobile platforms and on PCs through Microsoft Windows.

Given the runaway popularity, Fortnite players have been targeted in the past, including through campaigns aimed at enticing users to log into fake websites that have offered the ability to run the game on some unsupported mobile platforms or to generate V-Bucks. Last year some Fortnite players found their game accounts had been breached and that bad actors had rung up hundreds of dollars in purchases. (See Fortnite Players Lob Shots at Epic Games Over Hacked Accounts.)

In their report, "Hacking Fortnite Accounts," Check Point researchers noted that the popularity of Fortnite has translated into a lot of money for Epic, with the game generating almost half of the company's $5 billion to $8 billion of estimated value.

"With such a meteoric rise in fortune, it is no surprise then that the game had already attracted the attention from cyber criminals who set out to con unsuspecting players," they wrote.

Eran Vaknin, security expert at Check Point, also noted the global popularity of the game when talking about the latest vulnerabilities found by his company.

"Fortnite is the biggest online social game created in the wild, so the vulnerability exposes [all of its] users and this is the big picture," Vaknin told Security Now in an email. "The account takeover vulnerability is unique since we didn't see any report mentioned. It has happened in the past for Epic Games. The attack is seamless to the victim [and] everything is happening automatically behind the scenes."

He added that the researchers "treat Fortnite … as an infrastructure for people to collaborate together in kind of a social network, so I think that our vulnerabilities affect the same risk level of a business attack."

Unlike other attacks, the vulnerabilities found by Check Point analysts would have needed only for a gamer to click on a phishing link that appeared to be coming from an Epic Games domain.

If the gamer clicked on the link, the attacker would be able to grab the user's Fortnite authentication token without the user having to enter login credentials. The researchers found three flaws in Epic's web infrastructure that would have enabled attackers to steal user access credentials via the token-based authentication process used with Single Sign-On (SSO) systems like Facebook, Google and Xbox.

With these credentials, the bad actors could take over users' accounts.

The researchers showed that flaws in two of Epic's sub-domains were vulnerable to malicious redirects, which would have enabled hackers to grab users' legitimate authentication tokens from the compromised sub-domain through a cross-site scripting (XSS) attack.

Because of the amount of private data -- such as credit card numbers -- that are in users' accounts, Fortnite is "very attractive and valuable target on all of the platforms," Vaknin said.

There are several ways for users and organizations to protect themselves against such attacks, the researchers note. Gamers should always question the legitimacy of links they see on user forums and websites and use two-factor authentication. Parents should educate their children about cybersecurity and organizations need to ensure that their infrastructure's security is up to date.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14318
PUBLISHED: 2020-12-03
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
CVE-2020-2320
PUBLISHED: 2020-12-03
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads.
CVE-2020-2321
PUBLISHED: 2020-12-03
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project.
CVE-2020-2322
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.
CVE-2020-2323
PUBLISHED: 2020-12-03
Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.