XSS slip-up exposed Fortnite gamers to account hijack

Login credentials could have been stolen with ease

Web back-end vulnerabilities in Fortnite created a mechanism for hackers to intercept and surreptitiously steal gamers’ login credentials.

The attack – discovered by security researchers at Check Point – manipulates Fortnite’s login process to capture usernames and passwords.

Once stolen, login credentials might be used to buy more V-Bucks – Fortnite’s in-game currency – at a victim’s expense, or access a compromised user’s in-game contacts or other account data.

The same security weakness also made it possible to listen into and record players’ in-game chatter and background home conversations, among other exploits.

The attack, which has now been patched, was the result of flaws in Epic Games’ web infrastructure, that collectively made it possible for researchers to manipulate the token-based authentication process used by Fortnite in order to lift gamers’ access credentials.

More specifically, the attack relied on security shortcomings in how Fortnite’s login process works with Single Sign-On (SSO) systems developed by Facebook, Google, Xbox, and PlayStation.

Epic Games had written a generic SSO implementation to support all these login providers which, security researchers discovered, was flawed.

One of Epic Games’ older subdomains (http://ut2004stats.epicgames.com) was vulnerable to cross-site scripting (XSS), opening the way for researchers to develop a proof-of-concept exploit, as detailed a technical write-up by Check Point.

Duping players with the promise of V-Bucks

To pull off the exploit, an attacker would need to trick a prospective victim into clicking on a malicious phishing link, either in Fortnite chat or via social media.

Potential lures could include offering free game credits or V-Bucks.

Once clicked, it would have been possible for a hacker to capture a user’s Fortnite authentication token, allowing them to take over the account.

Importantly, there would have been no need to trick a user into entering their login credentials for the attack to have worked, as illustrated in a YouTube video of the exploit in action.

Oded Vanunu, head of products vulnerability research for Check Point, commented: “Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, [they] show how susceptible cloud applications are to attacks and breaches. 

“These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”

The two-step verification supported by Epic Games would ensure that when logging into their account from a new device, the player would need to enter a security code sent to the account holder’s pre-registered email address before they were allowed to access an account, offering gamers a defense against legion stealing attacks.

Surviving the storm

Check Point informed Epic Games about the vulnerability. The games publisher responded by developing and rolling out a security fix, clearing the way for Check Point to go public with its findings.

Although the vulnerability has been patched, Check Point and Epic Games still advise gamers to remain vigilant. In particular, users should consider the legitimacy of links posted on user forums and websites.

An Epic Games spokesperson told The Daily Swig: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

Nearly 80 million people worldwide play Fortnite. The wildly popular game is available on a variety of platforms including Android, iOS, PC via Microsoft Windows, and consoles such as Xbox One and PlayStation 4.

This latest episode isn’t the first time Fortnite has been scrutinized. Various security issues involving the platform have cropped up before as detailed in our earlier stories here and here.

Malwarebytes’ security researcher Chris Boyd, an avid gamer, told The Daily Swig that there’s a thriving underground of mostly teenagers who have turned hacking games into a game itself.

“While this is an interesting attack and potentially straightforward to do, a lot of teenage game hackers enjoy the near gamification of the attack itself and get a kick out of having someone physically enter login details,” Boyd explained.

“They also tend to get a lot more mileage on underground forums where they post images of their latest compromises, and lead others step by step through the many hoops the victims jumped through.

“Many of them hone a lot of basic HTML skills from these ventures and a quick glance at fake sites will reveal a love of as many interactive elements as possible.”

“Additionally, many of the attackers are often beginners and stick to tried and tested methods [of] making easy money instead of ‘Oh, this doesn't work for some reason’,” he added.