Cybersecurity firm Check Point issued a statement reporting it found multiple vulnerabilities on Epic Games’ online platform which could allow hackers to login to any Fortnite account.
Once logged in, attackers could then steal credit card information, purchase V-Bucks, and even listen to player conversations in real-time.
The worst part? This exploit didn’t even require the player to provide any login details like username or password.
The vulnerabilities found on the company’s sub-domains allowed hackers to execute an XSS attack by tricking the user into clicking on a malicious link.
By redirecting traffic from Epic Game’s login page at “accounts.epicgames.com” to another page on the same domain, hackers could effectively gain control of user accounts by stealing their login tokens.
Login tokens are digital keys that allow Fortnite players to sign in with their accounts on other services like PlayStation Network and Facebook.
Since the attack uses a URL ending in “epicgames.com”, victims didn’t realize the link was actually dangerous.
How did it work?
After clicking on the malicious link, they would send unsuspecting victims to an Epic Games sub-domain where the attacker could be able to see the player’s username and password.
Once on that page, hackers could resend the Single Sing-On token to a page on an old Epic Games sub-domain used for presenting unreal tournament statistics sorted by map and ID.
This means that the exploit worked even if the victim used third-party logins such as Google+, Facebook, PlayStation, Nintendo or Microsoft Account.
The security research firm took advantage of these bugs to steal login tokens themselves and log into Fortnite player accounts as a proof-of-concept.
Check Point then reported the security flaws to Epic Games who immediately took the page down and deployed a fix to protect their users’ information.
The old statistics page contained two vulnerabilities: SQL Injection and Cross-Site Scripting.
After discovering and reporting the vulnerabilities to Epic Games, Check Point also created a video highlighting the flaws found in the login process.
Fortnite Login Vulnerability Video
There’s no evidence attackers took advantage of these flaws to perform account takeovers.
However, some players have reported losing control of their Epic Games accounts without them even clicking on links.