Security company: Fortnite vulnerability gave third parties access to accounts
The security company Check Point reports that it has discovered several vulnerabilities for Fortnite, with which attackers could relatively easily access and take over player accounts. The vulnerabilities have now been patched.
Check Point reports that there were multiple vulnerabilities in Epic Games’ online platform and beyond. This allowed attackers to not only take over players’ accounts, but also view their personal account information, buy V-bucks and record voice chat conversations.
The security company states in an email to ZDNet that it reported the vulnerabilities found to Epic Games in early November. Check Point employees noticed that the vulnerabilities had disappeared in late November, but the game company did not keep Check Point informed of the process of fixing the vulnerabilities. Epic Games has yet to comment on the security company’s disclosure.
The hacks were possible due to a vulnerability in some of Epic Games’ subdomains, such as http://ut2004stats.epicgames.com. This allowed an xss attack to be carried out, where the user only had to click on a link that would be sent to him by the malicious party. Once clicked, the Fortnite username and password would be immediately forwarded. Xss, or cross-site scripting, can be tackled via csp, which ensures that only content from trusted locations can be loaded onto a website.
The employees of Check Point found a way to hack the SSO token, which is exchanged, for example, between providers such as Google, Facebook or Nintendo and the Epic Games server. The researchers cracked the login procedure and managed to exploit an xss vulnerability and store the sso token. This gave them the data to log into players’ accounts.
The login process was hackable because Epic Games creates a URL with a redirectedUrl parameter when clicking ‘sign in’. This url will later be used to redirect the player back to their account page. The researchers discovered that it was possible to manipulate this URL to redirect players to any page in the epicgames.com domain. This also allowed players to be forwarded to the domain ut2004stats.epicgames.com with the xss payload.