Cybercriminals could have hacked into any Fortnite player’s account by taking advantage of a series of flaws on the video game maker’s website, according to new research.
Researchers from cybersecurity firm Check Point found that they could redirect traffic from Epic Games’s main login page—accounts.epicgames.com—to another page on the company’s website. There, they could then steal login tokens, a sort of digital key that allows Fortnite players to login with their accounts on other services such as Facebook, PlayStationNetwork, Xbox Live, Nintendo, and Google+.
The first step in an attack like this would be to trick a Fornite player to click on a malicious link, according to Check Point’s research published on Wednesday.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Once the target clicked on the link, the hackers could force the service that provided the login—be it Facebook or Xbox Live—to resend the login token to an old and vulnerable Epic Games subdomain dedicated to Unreal Tournament statistics. That page, which is now offline, contained two vulnerabilities that are often found in websites: an SQL Injection (or SQLi), and a Cross-Site Scripting (or XSS), according to Check Point researchers.
These bugs allowed the researchers to steal the victim’s login token and log into the videogame at them. The researchers made a proof-of-concept video to explain the hack.
The makers of the popular online video game appeared to confirm Check Point’s research.
The company did not immediately respond to Motherboard’s request for comment. In a statement to Wired , an Epic Games spokesperson said: “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.” Check Point wrote in an email that Epic Games has fixed the vulnerabilities.
This is another example of a high profile attack that takes advantage of Single sign-on (SSO), a method that allows users to login into websites and services using their credentials from other sites and services. Last year, Facebook disclosed a data breach where hackers accessed the personal information of 30 million people taking advantage of a series of bugs on the social networks’ web servers.
We don’t know if any malicious hackers found the flaws on Epic Games websites and took advantage of them before Check Point alerted the video game company. A Check Point spokesperson said in an email that “it doesn’t appear that the vulnerability was exploited prior to the patch being made.”
Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.