Vulnerability Puts Millions of Fortnite Players at Risk, Check Point Finds

Check Point Software researchers discovered vulnerabilities in the hugely popular online game Fortnite that could have put the sensitive information of the almost 80 million users around the globe at risk.

Through the vulnerabilities, attackers could have stolen the usernames and passwords, which would have given them access to a vast amount of information stored in the accounts, enabled them to listen to and record conversations during the games, hear surrounding sounds and chatter within a user's home or wherever they were playing from, access users' in-game contacts and buy V-Bucks, the currency used in the game.

Check Point researchers notified Fortnite's developer, Epic Games, about the vulnerabilities in the company's web platform and they have since been fixed, according to Check Point and Epic. Epic officials in a statement noted: "...we were made aware of the vulnerabilities and they were soon addressed … As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

(Source: Epic Games)

There's no indication that the vulnerabilities were used to attack Fortnite gamers, but they represented a significant threat given the massive numbers of people -- many of them children, though some of them are professional gamers -- who play the game. It's used on all the top game consoles, including Microsoft's Xbox One, Nintendo Switch and Sony's PlayStation 4, and is available on the Android and Apple iOS mobile platforms and on PCs through Microsoft Windows.

Given the runaway popularity, Fortnite players have been targeted in the past, including through campaigns aimed at enticing users to log into fake websites that have offered the ability to run the game on some unsupported mobile platforms or to generate V-Bucks. Last year some Fortnite players found their game accounts had been breached and that bad actors had rung up hundreds of dollars in purchases. (See Fortnite Players Lob Shots at Epic Games Over Hacked Accounts.)

In their report, "Hacking Fortnite Accounts," Check Point researchers noted that the popularity of Fortnite has translated into a lot of money for Epic, with the game generating almost half of the company's $5 billion to $8 billion of estimated value.

"With such a meteoric rise in fortune, it is no surprise then that the game had already attracted the attention from cyber criminals who set out to con unsuspecting players," they wrote.

Eran Vaknin, security expert at Check Point, also noted the global popularity of the game when talking about the latest vulnerabilities found by his company.

"Fortnite is the biggest online social game created in the wild, so the vulnerability exposes [all of its] users and this is the big picture," Vaknin told Security Now in an email. "The account takeover vulnerability is unique since we didn't see any report mentioned. It has happened in the past for Epic Games. The attack is seamless to the victim [and] everything is happening automatically behind the scenes."

He added that the researchers "treat Fortnite … as an infrastructure for people to collaborate together in kind of a social network, so I think that our vulnerabilities affect the same risk level of a business attack."

Unlike other attacks, the vulnerabilities found by Check Point analysts would have needed only for a gamer to click on a phishing link that appeared to be coming from an Epic Games domain.

If the gamer clicked on the link, the attacker would be able to grab the user's Fortnite authentication token without the user having to enter login credentials. The researchers found three flaws in Epic's web infrastructure that would have enabled attackers to steal user access credentials via the token-based authentication process used with Single Sign-On (SSO) systems like Facebook, Google and Xbox.

With these credentials, the bad actors could take over users' accounts.

The researchers showed that flaws in two of Epic's sub-domains were vulnerable to malicious redirects, which would have enabled hackers to grab users' legitimate authentication tokens from the compromised sub-domain through a cross-site scripting (XSS) attack.

Because of the amount of private data -- such as credit card numbers -- that are in users' accounts, Fortnite is "very attractive and valuable target on all of the platforms," Vaknin said.

There are several ways for users and organizations to protect themselves against such attacks, the researchers note. Gamers should always question the legitimacy of links they see on user forums and websites and use two-factor authentication. Parents should educate their children about cybersecurity and organizations need to ensure that their infrastructure's security is up to date.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.