Security researchers have found several vulnerabilities in the online game Fortnite that could have allowed hackers to break into player accounts, access their personal information, buy in-game currency with the linked credit cards and record their conversations.
Fortnite is one of the most popular online games, with more than 125 million players who spend hundreds of millions of dollars per month combined. The game platform allows players to earn or buy a currency called V-Bucks that then can be spent on various items.
Researchers from security firm Check Point Software Technologies found several vulnerabilities in the online platform of Epic Games, Fortnite’s creator, that could be combined to build an attack in which users only click on a maliciously crafted link and expose their accounts.
They then investigated the OAuth single sign-on (SSO) implementation used by Epic Games’ platform, which allows players to authenticate with their Facebook, PlayStation Network, Xbox Live, Nintendo or Google accounts.
In OAuth terms, these are known as identity providers and the process works as follows: When the user tries to authenticate, the website makes a request to the identity provider. The provider checks if the user is logged in on its own platform and responds with an authentication token to the initiating website. This token tells the website that the user has been verified by the identity provider and can be allowed to access his account.
“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker,” the Check Point researchers said in a detailed report. “Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.”
The vulnerabilities have been privately reported to Epic Games and have been fixed, but the case shows the dangers of authentication flaws in online gaming platforms. Games such as Fortnite are played by many kids and teenagers and this attack would have allowed, among other things, for hackers to record players’ in-game chatter and background conversations in their homes.
Due to Fortnite’s popularity, its players are constantly targeted by various phishing scams that promise them V-Bucks, so there’s a clear interest in Fortnite account takeover attacks.
For businesses, this vulnerability highlights the weaknesses of single sign-on (SSO) implementations and the risks associated with having old and potentially vulnerable websites on forgotten subdomains. All companies should have a clear inventory of their online properties and when one is not needed anymore or gets replaced, it should be removed.
“SSO attacks are on the rise and seek to capture the access token used to authenticate an end user,” said Tim Mackey, a senior technical evangelist at security firm Synopsys, via email. “Access tokens authenticate end users without requiring them to enter a username and password. One benefit to an attacker of an SSO access token is that if a user changes their username or password, the token remains valid. Since end users need to take explicit action within the SSO provider to invalidate tokens, the value of a token to an attacker is higher than the value of a username and password.”