Fortnite players have just secured their accounts marginally from a major hack. The researchers identified a vulnerability that could have risked millions of accounts. Fortunately, Epic Games patched this Fortnite bug before any wide spread exploit occurred.
Fortnite Bug Allowing Massive Account Hacks
Researchers from Check Point Research have disclosed a vulnerability in their recent report that posed a serious threat to Fortnite players. The reported Fortnite bug could allow an attacker to gain explicit access to millions of accounts.
As specified in their report, they spotted a bug in Epic Games subdomain’s that could permit XSS attacks. A potential attacker could exploit this vulnerability to receive the victim player’s login credentials.
“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured by the attacker.”
According to the researchers, they found a vulnerable subdomain http://ut2004stats.epicgames.com/. This page supposedly provided game stats. However, the search bar of this page could serve as an “injection point for the XSS vulnerability”.
From this page, they began looking for details and found problems with the single sign-on (SSO) mechanism. As stated,
“It turns out that when a player logs in to his account by clicking on the “Sign In” button, Epic Games generates a URL containing a “redirectedUrl” parameter… This parameter is later used by “accounts.epicgames.com” in order to redirect the player to his account page. However, we soon found that it was possible to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain.”
At this point, the researchers demonstrated that redirecting the user to a malicious subdomain with XSS payload could allow stealing the victim’s user authentication code. Ultimately, the attacker could gain access to the victim’s Fortnite account.
The researchers have shared a demo video showing how the attack worked:
Epic Games Patched The Flaw
Check Point Research reported about the flaw to Epic Games right after the discovery. Consequently, the developers patched the flaw, thus securing millions of accounts from a potentially devastating hacking campaign.
Popular games like Fortnite are always alluring for criminal hackers. That’s why the players repeatedly witness scams and hacking campaigns. According to Check Point Research,
“Fortnite is the game responsible for almost half of their $5bn-$8bn estimated value.”
Fortunately game developers have proved themselves vigilant enough to fix the bugs at their earliest. Even in August 2018, Epic Games patched a flaw in Fortnite Android app that made it vulnerable to man-in-the-disk (MITD) attacks.