A game as big as Fortnite is obviously going to be a target for the more unsavory people of the world. Though a major concern is children falling victim to phishing attempts or other scams, those usually require the victim to attempt logging in on a bogus website. Today, Check Point Research has detailed scary a Fortnite vulnerability that doesn’t require victims to hand over their credentials before having their accounts compromised.
The vulnerability was present in several older Epic Games sub-domains, including one for Unreal Tournament 2004. Using these sub-domains, Check Point explains that a hacker would be able to create phishing links and acquire authentication information from other players without requiring them to enter their log in credentials. Once the authentication token had been obtained by the hacker, they’d able to take over the victim’s Fortnite account, buying V-Bucks with associated credit cards and partying up with others to eavesdrop on conversations.
“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker,” Check Point wrote in a technical article about the vulnerability. “Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.”
Since that token-based authentication method is used with Epic’s Single Sign-On systems, it doesn’t really matter what type of account the victim used to log into Fortnite. The game supports logins from Facebook, Xbox Live, Nintendo Switch Online, Google, and the PlayStation Network, and it sounds like all of those sign-on methods were at risk with this vulnerability.
Check Point, of course, notified Epic of the vulnerability well in advance of publishing this news. Check Point says that Epic has already patched the security flaw, so it shouldn’t be a concern anymore. Still, there’s no guarantee that Check Point was the only entity to stumble upon this vulnerability, which is certainly an unsettling idea.
Check Point’s research highlights the value of things like two-factor authentication, which Epic supports for locking down Fortnite accounts. If you’re a regular Fortnite player and you don’t have two-factor authentication enabled, it might a good idea to turn that on now – after all, people aren’t going to stop looking for vulnerabilities within Fortnite and Epic’s larger ecosystem, and this one in particular shows us that you don’t necessarily need to do something dumb to fall victim to one of these attacks.