Epic Games just fixed a massive breach in Fortnite‘s security, according to a new report from Variety. Back in November, hackers were capable of running wild, taking over accounts, using credit cards to buy in-game items, and even posing as other players in chatrooms. Essentially, they could control their victims’ accounts. Luckily this vulnerability has now been patched as of this month.
All of this occurred by the unsuspecting player simply clicking on what is known as “phishing” links. The hackers made the link look legitimate enough that most players would be easily duped. They would think the link came directly from Epic, but in reality, it was used to take control. It’s a good thing then that a cybersecurity firm, Check Point Software Technologies, discovered the issue in November.
Epic Games grateful for their help
In a statement to Variety, Epic Games said the following:
We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.
So where exactly did the flaw in their security lie? It had nothing to do with passwords, according to the original report, and everything to do with a flaw in two of Epic’s own subdomains.
There was a loophole in Fortnite‘s authentication process that enabled hackers to leverage Single-Sign-On systems like Xbox, Facebook, and Google to gain access to players’ account credentials. As mentioned earlier, they could send out phishing links to potential victims and then take over their authentication token due to Epic’s vulnerable subdomains.
We do not know exactly how many users were affected, but after this and other reports surfaced, people started posting on Facebook that they had been hacked in recent months. Players who spend a lot of time and money in this game were probably not too happy to be locked out of their accounts.
The vulnerability could have been much worse
Check Point’s Oded Vanunu, head of products vulnerability research, made a public statement. He said there was potential for this flaw to have had much more dire consequences.
Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy. Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.
If a player is never sure whether they are receiving a legitimate email from the developer or not, it’s best to not click any links. When in doubt, simply contact them.
[Source]
