Israeli researchers find Fortnite flaw that left user accounts open to takeover

Check Point Software says vulnerability in login process of massively popular online game could’ve granted hackers access to personal details, credit card info; flaw has been fixed

Shoshanna Solomon is The Times of Israel's Startups and Business reporter

An illustration of the Fortnite game developed by Epic Games, a US video game developer  (YouTube screenshot)
An illustration of the Fortnite game developed by Epic Games, a US video game developer (YouTube screenshot)

Researchers at Israeli cybersecurity firm Check Point Software Technologies Ltd. said they found “security vulnerabilities” in Fortnite, a popular online video game played by millions of people around the world.

The vulnerability was found in the game’s login process, and it could have allowed hackers to take over any user’s account, view personal account information, purchase virtual in-game currency and eavesdrop on in-game chatter as well as home conversations, the researchers said in a blog post.

The researchers alerted the creator of the game, Epic Games, a US video game developer, and the flaw has been repaired.

Fortnite players test their skill and endurance in a virtual world as they battle other online players for tools and weapons and strive to be the last surviving person.

An illustration of the Fortnite game developed by Epic Games, a US video game developer (YouTube screenshot)

The game, with 200 million registered users, accounts for almost half of the firm’s $5 billion to $8 billion estimated company value, according to data compiled by Bloomberg.

“With such a meteoric rise in fortune, it is no surprise the popular game has already attracted the attention of cyber criminals set on conning unsuspecting players,” the Check Point researchers said.

Previous scams involving Fortnite deceived players into logging into fake websites in order to acquire currency for the game. These sites, spread via social media campaigns, ask players to enter their login credentials, as well as personal information like name, address and credit card details (usually of the player’s parents).

The Check Point researchers, however, found a way to take over users’ accounts  without requiring them to hand over their login details at all. They were able to identify vulnerabilities in Epic Games’ token authentication process that would have enabled them to steal the user’s access token and perform an account takeover.

This would have enabled hackers to log in to a user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. They would also have access to all the user’s in-game contacts as well as listen in on conversations taking place during game play, the blog said.

Check Point alerted Epic Games about the vulnerability in November, and the firm started fixing the flaw in December and completed the patch on Tuesday, the spokesman said.

A spokesman for Check Point said it is not clear if users have been hacked using the vulnerability found by the Israeli researchers, which is the biggest that has been identified to date. But there is a lot of online chatter with people saying they have been hacked via Fortnite.

“Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast,” the researchers said. “Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world.”

The Check Point researchers said that organizations with customer-facing online portals must carry out proper validation checks on the login pages they ask their users to access. They must also perform “thorough and regular hygiene checks” on their entire IT infrastructure “to ensure they have not left outdated and unused sites or access points online.”

“When attackers are constantly on the lookout for the weakest link in your company’s online presence, these often unknown and unprotected pages can easily serve as a backdoor to your enterprise’s main network,” the blog post said.

An Epic Games spokesperson said in an email statement: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed