Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability Allowed Fortnite Account Takeover Without Credentials

Hacking game accounts is a popular — and enriching — pastime. The rise of in-game marketplaces that can be used for buying and selling game commodities has attracted hackers who break into gamers’ accounts, steal their game commodities (and anything else they can find from personal data to parents’ bank card details) and sell them on for cash. 

Hacking game accounts is a popular — and enriching — pastime. The rise of in-game marketplaces that can be used for buying and selling game commodities has attracted hackers who break into gamers’ accounts, steal their game commodities (and anything else they can find from personal data to parents’ bank card details) and sell them on for cash. 

The traditional route has always been to phish the gamers’ credentials — and obviously the bigger and more popular the game, the bigger the pool for phishing. Checkpoint recently discovered a vulnerability (now fixed) in the biggest game of all that allowed criminals to gain access to users’ accounts without requiring credentials. 

The Target was Fortnite, an online video game developed by Epic Games and released in July 2017. It was played by nearly 80 million people in August 2018, and boasts something like 125 million accounts. It accounts for nearly half of Epic Games’ $5 to $8 billion estimated company value. Fortnite’s in-game currency is the ‘V-Buck’, which can be earned within the game, can be used to purchase game commodities from other users, and sold for fiat cash outside of the game.

The vulnerability came to light when Check Point researchers realized the Epic Games login page, accounts.epicgames.com, had not been validated and was susceptible to a malicious redirect. The also discovered a separate unused and flawed Epic subdomain, where they identified an XSS attack to load their own JavaScript.

The usual method for gamers to authenticate themselves for Fortnite is to employ Facebook, Google or X-Box SSO capabilities. Users would visit the Epic login page and choose ‘login with, say, Facebook’. Epic would then request and receive an access token from Facebook, and the user would gain access to his or her account.

However, with the flaw discovered by Checkpoint, the redirect URL would send the gamer to the login page and then be redirected to the compromised sub-domain. Here, the attacker’s JavaScript would send a second request for the user credentials from Facebook, receive them, and send them to the attacker.

“All a victim needs to do is click on the malicious phishing link the attacker sends them, either in Fortnite chat, or via social media,” writes Check Point. This link has the advantage of starting with the official EPIC login domain, and ending with another EPIC domain. “To increase the likelihood of a potential victim clicking on this link,” continues Check Point, “it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker.”

With that information, the attacker can access the user’s account, steal personal information, listen in to in-game conversations, and buy and steal V-Bucks using the victim’s own bank details. The V-Bucks could then be exchanged for real money in the real world.

Advertisement. Scroll to continue reading.

In this instance the vulnerability arose because of EPIC’s failure to employ proper validation checks on the login page (allowing the redirect) exacerbated by leaving an unused, insecure sub-domain to provide the redirect destination and house the script used to steal the gamers’ credentials. This has now been fixed by EPIC.

But users can help themselves simply by employing two-factor authentication (as EPIC recommends). Users should, writes Check Point, “enable two-factor authentication. By doing so, and when logging into their account from a new device, the user is required to enter a security code that is then sent via email to the account owner.” 2FA is not an automatic panacea for security, and can be by-passed in certain circumstances. That, however, would require considerably more effort from the attacker, where exploitation of this vulnerability requires no user hacking at all.

Related: Epic Games Resets Passwords Following Forum Breach 

Related: Epic Games Forums Hacked Again 

Related: Rockstar Games Launches Public Bug Bounty Program 

<iframe width=”720″ height=”405″ src=”https://www.youtube.com/embed/poQmRWWh45s” frameborder=”0″ allow=”accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture” allowfullscreen></iframe>

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.