Another hack has reported to the Fortnite (an online video game); this time, the security researchers from Check Point revealed about this. According to experts, there were multiple vulnerabilities inside the online platform and that vulnerability is further connected to the single-sign-on (SSO) between, Google, PlayStationNetwork, Xbox Live, Nintendo and Epic Games provider.
The hackers only had to create a malicious link in these vulnerabilities to grant access to each player account through which they managed to view the personal information provided including steal V-bucks in-game currency and chat records of every single player. The Fortnite has 200 million and plus registered users according to data of November 2018 and making a monstrous $2.4 billion in profits.
More about the incident
The Check point found that they could redirect traffic from Epic Games’ main login page -accounts.Epicgames.com- to another page on the company’s website. There, they managed to steal login token:
“It turns out that when a player logs in to his account by clicking on the “Sign In” button, Epic Games generates a URL containing a “redirectedUrl” parameter. This parameter is later used by “accounts.epicgames.com” in order to redirect the player to his account page.
However, we soon found that it was possible to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain. With the ability to control the “redirctedUrl” parameter, we could redirect the victim to ‘ut2004stats.epicgames.com’, site that contained the XSS payload”
The first step in this attack is to trick users in clicking the malicious link, once clicked, they are forced use the service that provided he login- be it Fackbook or Xbox Live- to resend the login token to an old and vulnerable Epic Game.
Developers urge users to take immediate precaution measures:
“Epic Games takes these issues seriously, as chargebacks and fraud put our players and our business at risk. As always, we encourage players to protect their accounts by turning on two-factor authentication, not re-using passwords and using strong passwords, and not sharing account information with others.”