Cyber security firm Check Point has found a vulnerability in the online video game Fortnite that would have allowed threat actors to access players' login details and payment information
A vulnerability has been found in the hugely popular online video game Fortnite’s security that would have let its 80 million players’ credentials and personal information be hacked.
Once logged on to a victim’s account, the hackers could have then bought in-game currency using their payment card details and listened in to conversations at their home using the game’s chat feature.
The researchers at cyber security firm Check Point, which exposed the vulnerability, have since reported it to Fortnite’s developer Epic Games and a fix has now been deployed.
“Fortnite is one of the most popular games played mainly by kids and these flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.
“These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold – enforcing two-factor authentication could mitigate this account takeover vulnerability.”
What is Fortnite?
Fortnite was released in July 2017 and has generated almost half of Epic Games’ $5bn-plus (£3.9bn) value.
Its battle royale gaming mode – in which up to 100 players fight to be the last one standing on a large island – has proven popular on multiple gaming platforms, from Android and iOS mobile operating consoles to Xbox One and PlayStation 4 consoles.
In addition to casual players, Fortnite is used by professional gamers who stream their sessions online and is popular with e-sports enthusiasts.
The title uses a “freemium” model as gamers can play a basic version for free but can buy in-game extras.
How Fortnite security breach could have been exploited
The vulnerability Check Point identified could have been exploited via the game’s login process and flawed web infrastructure.
Researchers were able to manipulate the token-based authentication process used by Fortnite in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, Xbox and PlayStation to steal the user’s access credentials and take over their account.
To fall victim to this attack, a player needs only to click on a crafted phishing link, which comes from a genuine Epic Games domain, making it appear legitimate.
Once clicked, the gamer’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials.
What Check Point recommends to Fortnite players
Check Point and Epic Games have advised all users to remain vigilant whenever exchanging information digitally, and to practise safe cyber habits when engaging with others online.
The cyber security firm says in order to minimise the chances of falling victim to an attack similar to what Fortnite could have suffered from, users should enable two-factor authentication.
This means ensuring that when logging into their account from a new device, the player would need to enter a security code sent to the account holder’s email addresses.
It is also important that parents make their children aware of the threat of online fraud and warn them that cyber criminals will do anything to gain access to personal and financial details that may be held as part of a gamer’s online account.