Israeli cyber experts reveal Fortnite flaw threatening millions of gamers

The vulnerabilities, if exploited, would have enabled full access to a user's account and their personal information, including purchasing in-game currency using their payment card details.

By EYTAN HALON
Twenty Seven-year-old Christian Acevedo plays the video game 'Fortnite Battle Royale' from his home in Brooklyn, New York, U.S., on April 21, 2018. Acevedo says if he doesn't have to work the next day, he often stays up all night to play the popular game (photo credit: JILLIAN KITCHENER/REUTERS)
Twenty Seven-year-old Christian Acevedo plays the video game 'Fortnite Battle Royale' from his home in Brooklyn, New York, U.S., on April 21, 2018. Acevedo says if he doesn't have to work the next day, he often stays up all night to play the popular game
(photo credit: JILLIAN KITCHENER/REUTERS)
Vulnerabilities potentially granting hackers access to personal information belonging to nearly 80 million players of popular online video game Fortnite were unveiled by researchers at leading Israeli cybersecurity company Check Point Software Technologies on Wednesday.
First released in 2017 by American video game developers Epic Games, Fortnite is a free-to-play battle game available on a range of platforms and consoles.
The vulnerabilities, if exploited, would have enabled full access to a user’s account and their personal information, including purchasing in-game currency using their payment card details, as well as listening to in-game chatter and surrounding sounds and conversations within the user’s home or playing location.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.
We see “how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”
Researchers discovered multiple vulnerabilities in Epic Games’ online infrastructure, which enable hackers to exploit Fortnite’s user login process.
Researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox to steal the users access credentials and take over their accounts. To fall victim, users needed only to click on a crafted phishing link fraudulently coming from an Epic Games domain.
Once clicked, the user’s Fortnite username and password could be immediately captured by the attacker without the user entering any login credentials.
Check Point notified Epic Games of the vulnerability, which has since been fixed, but warned users to always remain vigilant when exchanging information digitally and to question the legitimacy of links to information seen on user forums and websites.
Previous scams targeting Fortnite gamers have primarily focused on deceiving users into clicking on offers for “free” in-game currency and then requesting their Fortnite login details and other personal information.
Over a one-month period from early September to early October 2018, Maryland-based cybersecurity company ZeroFOX identified over 50,000 examples of Fortnite scams across social media and digital platforms.


Related Tags
video games