The sign-in tool used by Fortine players could allow bad actors to take over any user's account
Security researchers from Check Point reported another Fortnite hack. According to experts, they found multiple vulnerabilities inside the online platform that would allow hackers to grant excessive access to any player's account and view their personal information, steal V-bucks in-game currency, and even record their conversations.
The vulnerability is connected to the single-sign-on (SSO) between Facebook, Google, PlayStationNetwork, Xbox Live, Nintendo and Epic Games server. All bad actors had to do is to create the malicious link that would be inserted into the chain to start the attack.
Epic Game's Fortnite video game has reached record high popularity not only in the battle royale genre but in the video game industry in general. Reaching over 200 million registered users in November 2018 and making a whopping $2.4 billion in profits, it became a lucrative business not only to its developers, but also malicious actors.
From fake Android versions, credit card fraud, hacking attempts to V-bucks generators that steal personal data, Fortnite has seen it all. The most recent vulnerability was reported to Epic games back in November 2018, and it was patched by the developer at the end of December.
Check Point researchers say the attack would be easy to execute
While previously hackers relied on fake websites that prompted users entering their Fortnite login details, this flaw does not require them to provide the information at all. The vulnerability that was found in some developer's sub-domains allows crooks to obtain username and password for the account, and all the victim has to do is click on a link provided by the attackers. The analyzed domain was ut2004stats.epicgames.com, which is no longer available.
By abusing the flaw on the mentioned domain, security experts managed to launch a second stage attack by using SSO related tokens and taking over the account with the help of OAuth Account. Here's how Check Point managed to achieve that:
It turns out that when a player logs in to his account by clicking on the “Sign In” button, Epic Games generates a URL containing a “redirectedUrl” parameter. This parameter is later used by “accounts.epicgames.com” in order to redirect the player to his account page.
However, we soon found that it was possible to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain. With the ability to control the “redirctedUrl” parameter, we could redirect the victim to ‘ut2004stats.epicgames.com’, site that contained the XSS payload
Researchers warn that aggressive cyber attacks surrounding Fortnite will not stop
A full account takeover might be devastating for every gamer, as a well-developed account could cost up to $50,000 on eBay. Therefore, stealing such an account would be extremely profitable for the hacker.
Cybercrime related to Fortnite is not going away anywhere any time soon, as there is a lot of money to be made. Epic Games is trying to battle all the scams, account hacks and the malware that is trying to affect the game. Developers urge users to take some precautionary measures as soon as possible:
Epic Games takes these issues seriously, as chargebacks and fraud put our players and our business at risk. As always, we encourage players to protect their accounts by turning on two-factor authentication, not re-using passwords and using strong passwords, and not sharing account information with others.
Experts reported that many hacking attempts were made with the help of illegal tools such as “V-bucks generators,” “Free V-bucks” and similar cheating tools that would allow the player to gain an unfair advantage in the game.
Please do not risk your safety and computer security in order to cheat in the game. Not only that ruins the experience to other players but also puts your bank account credentials and other sensitive information at risk.