Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

1/18/2019
09:35 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Vulnerability Puts Millions of Fortnite Players at Risk, Check Point Finds

Epic Games, the developer of Fortnite, fixed vulnerabilities in its web infrastructure that researchers said exposed the sensitive information of users of the wildly popular online game.

Check Point Software researchers discovered vulnerabilities in the hugely popular online game Fortnite that could have put the sensitive information of the almost 80 million users around the globe at risk.

Through the vulnerabilities, attackers could have stolen the usernames and passwords, which would have given them access to a vast amount of information stored in the accounts, enabled them to listen to and record conversations during the games, hear surrounding sounds and chatter within a user's home or wherever they were playing from, access users' in-game contacts and buy V-Bucks, the currency used in the game.

Check Point researchers notified Fortnite's developer, Epic Games, about the vulnerabilities in the company's web platform and they have since been fixed, according to Check Point and Epic. Epic officials in a statement noted: "...we were made aware of the vulnerabilities and they were soon addressed … As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

There's no indication that the vulnerabilities were used to attack Fortnite gamers, but they represented a significant threat given the massive numbers of people -- many of them children, though some of them are professional gamers -- who play the game. It's used on all the top game consoles, including Microsoft's Xbox One, Nintendo Switch and Sony's PlayStation 4, and is available on the Android and Apple iOS mobile platforms and on PCs through Microsoft Windows.

Given the runaway popularity, Fortnite players have been targeted in the past, including through campaigns aimed at enticing users to log into fake websites that have offered the ability to run the game on some unsupported mobile platforms or to generate V-Bucks. Last year some Fortnite players found their game accounts had been breached and that bad actors had rung up hundreds of dollars in purchases. (See Fortnite Players Lob Shots at Epic Games Over Hacked Accounts.)

In their report, "Hacking Fortnite Accounts," Check Point researchers noted that the popularity of Fortnite has translated into a lot of money for Epic, with the game generating almost half of the company's $5 billion to $8 billion of estimated value.

"With such a meteoric rise in fortune, it is no surprise then that the game had already attracted the attention from cyber criminals who set out to con unsuspecting players," they wrote.

Eran Vaknin, security expert at Check Point, also noted the global popularity of the game when talking about the latest vulnerabilities found by his company.

"Fortnite is the biggest online social game created in the wild, so the vulnerability exposes [all of its] users and this is the big picture," Vaknin told Security Now in an email. "The account takeover vulnerability is unique since we didn't see any report mentioned. It has happened in the past for Epic Games. The attack is seamless to the victim [and] everything is happening automatically behind the scenes."

He added that the researchers "treat Fortnite … as an infrastructure for people to collaborate together in kind of a social network, so I think that our vulnerabilities affect the same risk level of a business attack."

Unlike other attacks, the vulnerabilities found by Check Point analysts would have needed only for a gamer to click on a phishing link that appeared to be coming from an Epic Games domain.

If the gamer clicked on the link, the attacker would be able to grab the user's Fortnite authentication token without the user having to enter login credentials. The researchers found three flaws in Epic's web infrastructure that would have enabled attackers to steal user access credentials via the token-based authentication process used with Single Sign-On (SSO) systems like Facebook, Google and Xbox.

With these credentials, the bad actors could take over users' accounts.

The researchers showed that flaws in two of Epic's sub-domains were vulnerable to malicious redirects, which would have enabled hackers to grab users' legitimate authentication tokens from the compromised sub-domain through a cross-site scripting (XSS) attack.

Because of the amount of private data -- such as credit card numbers -- that are in users' accounts, Fortnite is "very attractive and valuable target on all of the platforms," Vaknin said.

There are several ways for users and organizations to protect themselves against such attacks, the researchers note. Gamers should always question the legitimacy of links they see on user forums and websites and use two-factor authentication. Parents should educate their children about cybersecurity and organizations need to ensure that their infrastructure's security is up to date.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Digital Clones Could Cause Problems for Identity Systems
Robert Lemos, Contributing Writer,  8/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8913
PUBLISHED: 2020-08-12
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a dir...
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183