A vulnerability on Fortnite, a popular online video game by Epic Games with over 200 million players, exposed users to the risk of hackers fully taking over their accounts, according to researchers at the security company Check Point.
Check Point researchers discovered a susceptible website hosted on Epic Games’ domain — http://ut2004stats.epicgames.com, which has since been taken down — that could be used to capture users’ authentication tokens. This would allow hackers to log into Fortnite accounts without usernames or passwords. With an authentication token in hand, a bad actor could use the account’s saved credit card information to purchase virtual in-game currency, and listen in on live audio while the targets played the game. While complete credit card numbers were not visible to hackers, they would be able to see the last four digits of a user’s card.
A spokesperson for Epic Games told BuzzFeed News the company had patched the vulnerability. “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.” He added, “As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.” However, a strong password would not have spared users from this vulnerability. Epic Games did not respond to inquiries about whether any hackers accessed accounts using this method.
It’s not the first time Epic Games has dealt with security issues. In August, Google publicly disclosed that the original Fortnite installer for Android could be exploited to secretly install unwanted apps or malware on phones, without users’ knowledge.
Here’s How The Vulnerability Could Be Exploited
Fortnite users can opt to sign in using their Google, Facebook, Playstation, Xbox, or Nintendo accounts, as well as register with Epic Games directly without involving a third party. Once users choose a platform to log into their accounts with, that platform (Google, Facebook, etc.) generates a unique, randomized string of characters, called a token, and sends that token to Epic Games to grant access to the account.
In the case of this vulnerability, researchers discovered two subdomains hosted by Epic Games, where the authentication token could be redirected from Epic Games to a hacker and allow them to take over the account.
“If Google sends a token, then it should go to Epic Games, and that’s it,” Oded Vanunu, Check Point’s head of products vulnerability, told BuzzFeed News.
A link to one of the susceptible subdomains could easily be shared on social media, along with a prompt like “Three credits for Fortnite. Claim here,” to entice users to click, he said.
“Once you click [the link], everything happens behind the scenes. There’s no need to enter any credentials or anything. We prefer that users turn on two-factor authentication, but this is a sophisticated attack,” said Vanunu.
He added that users who’d enabled two-factor authentication were likely protected from the vulnerability. According to Vanunu, every time a new computer accesses a Fortnite account with an authentication token, a second factor (a code sent by SMS, email, or authenticator app) is required.
Fortnite accounts are often sold through online marketplaces like eBay and Craigslist, sometimes for thousands of dollars if the account has amassed lots of accessories, which are earned or purchased in the game, Vanunu said. This gives hackers an incentive to go after the free-to-play online game’s users, many of whom are teens or children.
Vanunu ultimately hopes that news of the vulnerability gives parents a way to talk to their children about online fraud and cybercriminals: “Fortnite is not a game. It is an infrastructure, a platform, where you buy things, communicate with friends, joke with people online, and [where] most of the players are kids. That’s why we are happy to help Epic Games fix this, and make sure that consumers understand what is happening.”
In September, Facebook disclosed a similar vulnerability that compromised the security of 50 million profiles when attackers stole access tokens that allowed them to break into accounts. Facebook inadvertently leaked user access tokens it generated itself, on its own website. In the case of Fortnite, however, the main security issue involved the implementation of the site's third-party sign-on system, and how Epic Games handled the access token it received from those third parties.
“There is an ongoing discussion [in the security community] about how to do this right, and how to make it easier to do it right, to make sure that people don’t have these kinds of screw-ups,” security consultant Eleanor Saitta said of token-based authentication systems.
Signing in with a Google or Facebook account is convenient for users, who don’t have to remember another username or password. But, Saitta said, it’s not necessarily worth the security tradeoff: “My advice is that you don’t want to tie applications when you don’t need to. You want services segmented. Get a password safe, and have that safe manage all your passwords.”