Fortnite vulnerability could have enabled account hijacking

Check Point reveals how trio of web vulnerabilities could allow account takeover

The publisher of smash-hit online game Fortnite has closed a trio of serious vulnerabilities unearthed by researchers from security vendor Check Point.

In combination, the vulnerabilities allowed Check Point’s researchers to snaffle a user’s authentication token.

Epic Games' implementation of single sign-on and a cross-site scripting vulnerability as well as a SQL injection vulnerability on a subdomain of the site allowed an attacker to hijack an account.

From there the attacker could access personal information, purchase the in-game currency employed by Fortnite (‘V-bucks’), and potentially impersonate the accountholder in conversations with other players or eavesdrop on their conversations.

“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker,” the researchers said in the write-up of their investigations.

“Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.”

“Fortnite is one of the most popular games played mainly by kids,” Check Point’s head of products vulnerability research, Oded Vanunu, said in a statement. “These flaws provided the ability for a massive invasion of privacy.”

“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches,” Vanunu said.

“These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”

The security firm contacted Epic Games before publishing its research, and the vulnerabilities have been addressed, Check Point said.

"We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention," an Epic Games spokesperson said. "As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

‘Fortnite Battle Royale’ is a free-to-play game released in 2017. Epic earns revenue through V-bucks microtransactions.

According to research firm SuperData, Fotnite in 2018 generated the most annual revenue of any game in history. In 2018 Epic reaped $2.4 billion from the title, which is playable on console and mobile platforms as well as PCs.