A security bug in Epic Games’ Fortnite allowed a group of hackers to gain access to user accounts. Researchers at Check Point Research discovered this flaw and notified Epic Games, therefore, leading to the subsequent patching of the bug within a few weeks.
The hackers were able to access the accounts after the users clicked on a suspicious link that was sent to them. In a statement, Epic Games thanked Check Point Research for their assistance and emphasized the importance of security for Fortnite users, saying:
“We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
Once the hackers had gained control of the user accounts, they could potentially eavesdrop on conversations taking place in the game. Furthermore, they could purchase and gift V-bucks, the in-game currency. It is also worth noting that since Fortnite does not allow multiple logins from a single account, once a hacker was signed in, the victim was unable to log on to his or her own account.
As far as the nature of the vulnerability is concerned, it basically involved Epic Games’ Single Sign-On implementation that is used by other login providers as well, including Facebook, Google+, Xbox and PlayStation Network.
It leads to a redirect URL which is then exploited by hackers to lead the victim to a vulnerable web page where the username and password are subsequently stolen. However, for this entire hack to work successfully, a user must click on a malicious link that is sent to his or her account.
While the flaw has been corrected, malicious attempts towards Fortnite user accounts are still common, including money laundering schemes that involve the use of stolen credit cards to purchase V-bucks and later sell them on the dark web at discounted prices.