In Fortnite, security experts have uncovered a flaw in the login process of Fortnite. One wrong click was enough for hackers to access the data. 80 million accounts were potentially at risk.
Who are the security experts? The company is called “Check Point.” It is an Israeli security firm. Their experts have tried to find security vulnerabilities in Fortnite and indeed found some. They are basically “hackers on the side of good.”
That’s why they are testing Fortnite: The company says that the online game Fortnite is such an important target because about 80 million accounts log in each month: these are the active players that one assumes.
These players have personal information, credit card details, and other data linked to their accounts: That is all data.
And whoever accesses this data can sell it.
As the head of the “vulnerability” researchers says, platforms like those of Epic are increasingly in the crosshairs of hackers because so many sensitive data is stored there. Moreover, there is a lively market for selling accounts that have special skins.
This was the flaw: The experts identified three vulnerabilities in Epic Games’ server structure to exploit them.
This is partly because Epic wants to make it as easy as possible for players to log into Fortnite. Therefore, Epic allows access through “third parties” like Google or Facebook.
In this process, an “authentication” token is created. The attackers were able to intercept this because the login page “accounts.epicgames.com” was vulnerable to a redirect.
Thus, the attackers could load a JavaScript on another subpage of Epic Games, to which players were lured. This allowed them to siphon off login data.
What did players have to do wrong? For the attack, it was enough for players to click on a “phishing link”: for example, a link in an email, that promised them free V-Bucks: a popular bait.
As soon as the players clicked on the link, the attackers already had the data. The players did not even have to provide their account data.
This is what attackers could have done with the data: The attackers could have charged the credit cards, siphoned off data, or listened in on the in-game chat.
This is what the security experts did: The people from Check Point communicated all their findings to Epic Games before publication. They have since closed the security gaps, as the Forbes website reports.
This is what the experts recommend:
- The company recommends that every customer implement two-factor authentication. Epic agrees.
- The professionals advise companies like Epic to collaborate with other major gaming companies. Blizzard has had the same problems for years. An industry that makes billions should share its methods with others and show that it cares about the well-being of customers and fans.
