Several reports have surfaced online of the suspected hacking of player’s accounts in the popular online video game Fortnite, with some gamers claiming that hackers were able to take control of their accounts, and purchase in-game items with their credit card details.
Variety reports that Check Point, a cybersecurity firm based in Israel, discovered the Fortnite vulnerability in November.
The company notified Epic Games, Fortnite’s developers, as soon as they discovered the vulnerability, and now it appears that Epic Games have fixed the flaw, a spokesperson said.
“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
In this particular case, the issue wasn’t connected to user’s passwords information, as hackers could access an account without using their login details.
Instead, Check Point’s researchers said, the vulnerabilities were connected to flaws in two sub-domains owned by Epic Games online that were susceptible to a malicious redirect. This allows legitimate user authentication tokens to be intercepted by a hacker.
According to the Variety report, researchers said that three flaws found in Epic Games’ web infrastructure were enough to take over user’s accounts and view their personal information.
Check Point, noted in its blog post, that attackers “took advantage of Epic Games’ use of authentication tokens in conjunction with Single Sign-On (SSO) providers such as Facebook, Google, X-Box and others that are built into Fortnite’s user login process”.
For the attack to be successful, players only needed to click on a phishing link – a fake message looked like it was sent from Epic Games – to trick users into clicking the link.
“Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker,” Check Point said.
If a user clicked on the link, the vulnerability would give attackers full to data stored on their accounts, including the ability to purchase more in-game currency by using the victim’s card details.
Check Point researcher also said that hackers could also access “user’s in-game contacts as well as listen in on and record conversations taking place during gameplay”.
Check Point said that it is important for companies that use an online portal to conduct proper validation checks on the login pages they ask their users to access.
“They must also perform thorough and regular hygiene checks on their entire IT infrastructure to ensure they have not left outdated and unused sites or access points online.
“When attackers are constantly on the lookout for the weakest link in your company’s online presence, these often unknown and unprotected pages can easily serve as a backdoor to your enterprise’s main network” Check Point added.