Israeli researchers find Fortnite flaw that left user accounts open to takeover

Ruben Fields
January 21, 2019

Just as triumphant reports come in about Fortnite's success, the world's most popular game is forced to contend with stories about security vulnerabilities that could have exposed its millions of players to hackers.

From there the attacker could access personal information, purchase the in-game currency employed by Fortnite ('V-bucks'), and potentially impersonate the accountholder in conversations with other players or eavesdrop on their conversations.

According to analyst company SuperData, Fortnite - the wildly popular 100-player Battle Royale game played on PS4, XB1, PC, Mac, Switch, and iOS - generated an estimated $2.4 billion revenue in 2018 for Epic Games, making it the market leader in free-to-play games.

To take control, the researchers sent a message to their victim over social media including a malicious link. They were able to identify vulnerabilities in Epic Games' token authentication process that would have enabled them to steal the user's access token and perform an account takeover.

With about 200 million players, the game has attracted criminals for the sheer amounts of money spent on in-game purchases.

On Wednesday, Epic Games, the creator of the massive hit Fortnite, admitted that because of a flaw in the game's log-in system hackers could penetrate the game and buy in-game currency.

MS Dhoni completes 10000 ODI runs, emulates Tendulkar, Ganguly, Dravid & Kohli
The worrying aspect is Dhoni's strike-rate of 71.42, which is remarkably lower than his ODI career strike-rate of 87.89. Dhoni had an off-colour 2018, managing 275 runs in 20 ODIs at average 25 without a half-century.

It also encourages players to use two-factor authentication, which will require them to enter a security code sent to their phone upon login.

The Fortnite security flaw involves people accessing their Fortnite accounts using their login information for other services like Facebook, Sony's PlayStation Network, and Microsoft's Xbox Live.

On Tuesday, security firm Check Point demonstrated how you could exploit a series of vulnerabilities within the game to pull off the hack.

"We were made aware of the vulnerabilities and they were soon addressed", an emailed statement from Epic Games said. Since its release in 2017, Fortnite's player-base has grown by the tens of millions. The hack didn't try to steal your password, but the special access token the third-party exchanges with Fortnite to let you log in.

Check Point's proof-of-concept even used a completely genuine *.epicgames.com URL as a phishing vector. The old stats site was vulnerable to a SQL injection attack, Check Point found, which allowed the miscreants to plant an XSS payload on the server. Facebook on the other hand, which just previous year had hackers steal security tokens for 30 million of its users, wasn't so lucky.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER