Researchers say Fortnite bugs put millions of users at risk

16 Jan 2019

Fortnite Twitch channel. Image: dimarik/Depositphotos

Cybersecurity firm Check Point says a flaw in Fortnite exposed player accounts to a potential malicious attack.

Epic Games, the developer behind the wildly successful Fortnite game, has patched an infrastructural vulnerability that would have allowed hackers to gain access to user accounts. Cybersecurity firm Check Point reported the error to the game developer last year.

Oded Vanunu, one of the researchers behind the discovery of the flaws, said the issues were reported to Epic Games in early November of last year, with a fix following later that month. According to Vanunu, the company did not provide Check Point with any progress reports on the fix or an estimated time of arrival for the patch.

A combination of issues

Three vulnerabilities in combination would have permitted a moderately skilled hacker to steal an account access token on a player’s device once they entered their password.

The issue lies in how Epic Games deals with login requests. Check Point researchers said they were able to send any user a specially crafted link that looks like an official Epic Games message. Less technical players would be unlikely to notice anything unusual about the dodgy link.

Once the link is clicked by an unsuspecting player, a malicious script loaded by the hacker steals the victim’s single sign-on access token. With the token, a hacker could access user accounts, which could then be leveraged to buy in-game equipment with virtual currency that would later be resold. The flaw also gave the hacker access to conversations between the Fortnite player and their friends, which is a concern given that a large volume of the players are children under the age of 18.

Vanunu said: “Your kids are playing a game, and people can listen to what they are doing.

“The child thinks he is talking to a 12-year-old kid, but he is talking to adults who might say ‘send me a picture of that and I will give you this weapon’. This is the craziness of this game.”

Fortnite developer responds

Nick Chester of Epic Games said: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.

“As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others.”

Vanunu warned of the growing prevalence of token theft by cybercriminals, adding that Fortnite and other major online games would continue to be attractive targets. Fortnite is no stranger to scams, with a whole slew of fake, malicious apps linked to the game making headlines last year.

To keep your account safe, Check Point recommends implementing two-factor authentication, which will provide an extra layer of security for players around the world. The Israeli cybersecurity firm also stressed that parents should warn children of potential fraud when playing games online.

Fortnite Twitch channel. Image: dimarik/Depositphotos

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com