Fortnite Attack Allowed Taking Over Player Accounts
Security researchers have found several vulnerabilities in the online game Fortnite that could have allowed hackers to break into player accounts, access their personal information, buy in-game currency with the linked credit cards and record their conversations.
Fortnite is one of the most popular online games, with more than 125 million players who spend hundreds of millions of dollars per month combined. The game platform allows players to earn or buy a currency called V-Bucks that then can be spent on various items.
Researchers from security firm Check Point Software Technologies found several vulnerabilities in the online platform of Epic Games, Fortnite’s creator, that could be combined to build an attack in which users only click on a maliciously crafted link and expose their accounts.
The researchers first identified an old Epic Games website running on a subdomain of epicgames.com, the same domain hosting the accounts.epicgames.com site used for Fortnite authentication. They then found a cross-site scripting (XSS) vulnerability on the old website, which allowed them to create a link that would execute rogue JavaScript code in a user’s browser when visited.
They then investigated the OAuth single sign-on (SSO) implementation used by Epic Games’ platform, which allows players to authenticate with their Facebook, PlayStation Network, Xbox Live, Nintendo or Google accounts.
In OAuth terms, these are known as identity providers and the process works as follows: When the user tries to authenticate, the website makes a request to the identity provider. The provider checks if the user is logged in on its own platform and responds with an authentication token to the initiating website. This token tells the website that the user has been verified by the identity provider and can be allowed to access his account.
In this case, the researchers noticed that the OAuth requests sent by Epic Games’ website contained a state parameter that could be manipulated to include a redirect to another site along with a JavaScript payload. So they created a link that, when clicked by users, initiates OAuth requests to Facebook or another supported identity provider.
The requests contain the manipulated state parameter, which the identity provider returns back through the user’s browser to accounts.epicgames.com along with the SSO authentication token. The Epic Games site then interprets the rogue state parameter and redirects the user to the old and vulnerable website on the forgotten epicgames.com subdomain, where the malicious JavaScript payload is executed through the XSS vulnerability.
The rogue JavaScript code captures the SSO authentication token and sends it to a server controlled by the attackers, allowing them to access the user’s account.
“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker,” the Check Point researchers said in a detailed report. “Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.”
The vulnerabilities have been privately reported to Epic Games and have been fixed, but the case shows the dangers of authentication flaws in online gaming platforms. Games such as Fortnite are played by many kids and teenagers and this attack would have allowed, among other things, for hackers to record players’ in-game chatter and background conversations in their homes.
Due to Fortnite’s popularity, its players are constantly targeted by various phishing scams that promise them V-Bucks, so there’s a clear interest in Fortnite account takeover attacks.
For businesses, this vulnerability highlights the weaknesses of single sign-on (SSO) implementations and the risks associated with having old and potentially vulnerable websites on forgotten subdomains. All companies should have a clear inventory of their online properties and when one is not needed anymore or gets replaced, it should be removed.
“SSO attacks are on the rise and seek to capture the access token used to authenticate an end user,” said Tim Mackey, a senior technical evangelist at security firm Synopsys, via email. “Access tokens authenticate end users without requiring them to enter a username and password. One benefit to an attacker of an SSO access token is that if a user changes their username or password, the token remains valid. Since end users need to take explicit action within the SSO provider to invalidate tokens, the value of a token to an attacker is higher than the value of a username and password.”