Check Point Software Technologies has discovered a vulnerability in Fortnite that could put the millions of players worldwide at risk.
Researchers at Check Point discovered three vulnerabilities in Epic Games’ web infrastructure and using these showed how the token-based authentication used in conjunction with single sign-on solutions such as Facebook, Google and Xbox could compromise a user’s account.
This is all prompted through the use of phishing tactics where an attacker sends the target a link coming from an Epic Games domain.
Once that link is clicked the attacker can capture the user’s authentication token. The aforementioned flaws include one of Epic’s sub-domains which were susceptible to malicious redirects and allowed attackers to intercept authentication tokens.
Should an attacker get their hands on that, a user’s account would be completely compromised. The attacker could listen in on private conversations in game and even purchase V-Bucks on the target’s account.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability,” Vanunu added.
Check Point did inform Epic Games of its discovery and the vulnerabilities have since been fixed.
The firm concludes by urging internet users to enable two-factor authentication where possible.
For this interested in the technical details of this discovery you can find the details over on Check Point’s research blog.