Epic games, patched a vulnerability that potentially exposed over 80 million Fortnite accounts. According to a security research firm, Check Point, numerous flaws were found in the online game. Cybercriminals could easily have taken over individual accounts to view their account information, make purchases, and record in game conversations and background home conversations.
Check Point disclosed the vulnerabilities to Epic Games early November. Epic Games patched the vulnerabilities a few weeks after.
Check Point Researchers found two, old subdomains susceptible to SQL injection and XSS attacks. The vulnerability redirected traffic from Epic Games main login page to another older, vulnerable subdomain.
It is important to note, that Check Point believes the vulnerability was not exploited.
To exploit the vulnerability, attackers would have to first send phishing links to Fornite accounts. Once users clicked on the link, Epic Games would request the SSO or (single-sign-on) token from various platforms like Facebook, Google+, PlayStation, Xbox, OR Nintendo. Then, once the SSO token was acquired, the page was redirected to a malicious URL. This URL then contained an XSS payload, which requested the token again. Finally, the authentication token was sent to the attacker. The authentication token was simply, hijacked from the single-sign-on login, without Fornite players providing login credentials.
The vulnerability arises from Fortnite’s generic SSO system, which worked across multiple platforms associated with the game. SSO allows users to easily login into various websites and services using the same credentials.
Epic Games has commented on the report saying:
“We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
This massively popular game has a revenue of $5-8 billion and it is no surprise cyber criminals have targeted the game. Fornite was also victim to an attack last August. When attackers created a false website that promised to give players ‘V-buck’s’, a form of currency in the game, if players entered their game login credentials. As, the game gains more popularity, it becomes a target for malicious actors. It is crucial for Epic Games to continue patching systems and closing off any holes they find.
If you believe your organization was victim to a cyber attack contact LIFARS immediately.