Millions Of Fortnite Accounts Were Exposed To Glaring Security Vulnerability Say Researchers
The vulnerability was discovered by Israeli cyber security company Check Point this past November. Epic Games quickly and quietly fixed the issue. They recently remarked, “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
Hackers would have been able to hijack single-sign-on (SSO) tokens. SSO tokens are an authentication process that enable users to access more than one application with only one set of login credentials. These tokens are exchanged between providers such as Facebook
Users are able to sign-in to the Epic Games server through Google, Facebook, Playstation, Xbox, or Nintendo accounts. Security Check discovered two Epic Games subdomains where the tokens could transferred to hackers. They would have been able to easily redirect users to these subdomains and then gain access to users’ accounts. These subdomains could have also potentially been shared on social media to attract more victims.
Users who utilize two-factor authentication (2FA) would have likely been unaffected by this vulnerability. Check Point also noted that tech-savvy users would have probably also noticed the wonky parameters of the hijacked subdomain. However, many of Fortnite’s 125 million players may not have noticed the warning signs or taken precautionary measures. Check Point security researcher Oded Vanunu noted, “We are here to prove and raise awareness since most of the players are kids!”
Fortnite’s popularity has made it a target for hackers. This past spring, hackers were able to access Epic Games accounts that had a PayPal account tied to them. Rumor has it that some of the victims were using the same passwords across multiple internet accounts. More recently, an Android installer security flaw allowed hackers to install malware. Epic Games was thankfully able to fix the issue within 48 hours of it being reported. Epic Games will need to be more vigilant, especially if they plan to compete with Steam.