A Fortnite security bug let attackers access user accounts after they clicked a suspicious link that was sent to them. Researchers at Check Point Research found the bug and notified Epic Games in November, which then patched the vulnerability within a few weeks.
Epic Games told The Verge in a statement: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
After the takeover, attackers could potentially use the accounts to purchase and gift the in-game currency V-Bucks. Since Fortnite doesn’t allow multiple sign-ins to the same account, if the hacker is on the victim’s account, the victim can’t log on. But Check Point says in its report that the bug could even have allowed hackers to eavesdrop on in-game conversations. Check Point clarified to The Verge it doesn’t mean eavesdropping on the hacked player, but that the hacker could present themselves as the victim and talk to the player’s friends.
The weakness originates in Epic’s Single Sign-On implementation that works for many login providers, including Facebook, Google+, PlayStationNetwork, Xbox Live, and Nintendo. It leads to a redirect URL, which hackers can exploit to redirect a vulnerable webpage that then steals the victims’ username and password. For the hack to work, the attacker sends a malicious link to the user’s Fortnite account, and if the user clicks on it, it will redirect them to a page that steals their login credentials.
Even though this particular hack was patched, there are still plenty of malicious users targeting Fortnite accounts. Just this week, The Independent reported money laundering schemes involving stolen credit card details that were being used to buy V-Bucks and then were sold back to players at a discount through the dark web.
Update January 16th, 2:58PM ET: This article has been updated with additional comment from Check Point on its eavesdropping claim.