Security Experts:

Vulnerability Allowed Fortnite Account Takeover Without Credentials

Hacking game accounts is a popular -- and enriching -- pastime. The rise of in-game marketplaces that can be used for buying and selling game commodities has attracted hackers who break into gamers' accounts, steal their game commodities (and anything else they can find from personal data to parents' bank card details) and sell them on for cash. 

The traditional route has always been to phish the gamers' credentials -- and obviously the bigger and more popular the game, the bigger the pool for phishing. Checkpoint recently discovered a vulnerability (now fixed) in the biggest game of all that allowed criminals to gain access to users' accounts without requiring credentials. 

The Target was Fortnite, an online video game developed by Epic Games and released in July 2017. It was played by nearly 80 million people in August 2018, and boasts something like 125 million accounts. It accounts for nearly half of Epic Games' $5 to $8 billion estimated company value. Fortnite's in-game currency is the 'V-Buck', which can be earned within the game, can be used to purchase game commodities from other users, and sold for fiat cash outside of the game.

The vulnerability came to light when Check Point researchers realized the Epic Games login page, accounts.epicgames.com, had not been validated and was susceptible to a malicious redirect. The also discovered a separate unused and flawed Epic subdomain, where they identified an XSS attack to load their own JavaScript.

The usual method for gamers to authenticate themselves for Fortnite is to employ Facebook, Google or X-Box SSO capabilities. Users would visit the Epic login page and choose 'login with, say, Facebook'. Epic would then request and receive an access token from Facebook, and the user would gain access to his or her account.

However, with the flaw discovered by Checkpoint, the redirect URL would send the gamer to the login page and then be redirected to the compromised sub-domain. Here, the attacker's JavaScript would send a second request for the user credentials from Facebook, receive them, and send them to the attacker.

"All a victim needs to do is click on the malicious phishing link the attacker sends them, either in Fortnite chat, or via social media," writes Check Point. This link has the advantage of starting with the official EPIC login domain, and ending with another EPIC domain. "To increase the likelihood of a potential victim clicking on this link," continues Check Point, "it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker."

With that information, the attacker can access the user's account, steal personal information, listen in to in-game conversations, and buy and steal V-Bucks using the victim's own bank details. The V-Bucks could then be exchanged for real money in the real world.

In this instance the vulnerability arose because of EPIC's failure to employ proper validation checks on the login page (allowing the redirect) exacerbated by leaving an unused, insecure sub-domain to provide the redirect destination and house the script used to steal the gamers' credentials. This has now been fixed by EPIC.

But users can help themselves simply by employing two-factor authentication (as EPIC recommends). Users should, writes Check Point, "enable two-factor authentication. By doing so, and when logging into their account from a new device, the user is required to enter a security code that is then sent via email to the account owner." 2FA is not an automatic panacea for security, and can be by-passed in certain circumstances. That, however, would require considerably more effort from the attacker, where exploitation of this vulnerability requires no user hacking at all.

Related: Epic Games Resets Passwords Following Forum Breach 

Related: Epic Games Forums Hacked Again 

Related: Rockstar Games Launches Public Bug Bounty Program 

<iframe width="720" height="405" src="https://www.youtube.com/embed/poQmRWWh45s" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.