- Security research company found a major bug in Fortnite’s authentication system that could put all users’ private data at risk.
- The bug essentially allows attackers to steal login tokens by tricking users into clicking a link.
- The security issue has already been fixed by Epic Games, which means that no user action is needed.
Fortnite has become a major target for cybercriminals thanks to the massive player base that the popular battle royale game commands. With over 78.3 million monthly players playing the game, there is a lot of private user information at stake and Check Point Research identified a critical exploit recently that has already been patched out.
Check Point revealed that the bug takes advantage of cross-site scripting (XSS) to trick Fortnite players into clicking on malicious links during the authentication process, which allows the attacker to steal login tokens. This is quite different from how attackers stole Facebook’s login tokens last year as Epic Games account holders need to manually enter their login credentials for cybercriminals to be successful.
According to Check Point: "With the access token now in the hands of the attacker, he can now log-in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on conversations taking place during gameplay.”
Even though the attack is not particularly complicated, people using the exploit need to have the technical know-how and also knowledge about old domains that Epic Games once owned. The Fortnite developers have a number of old sub-domains that attackers used to search for valuable data.
The interest of attackers lies primarily in Fortnite’s virtual currency also known as V-Bucks. 1000 V-Bucks is worth $10, but once attackers get access to financial information of their victims, they purchase the digital currency and sell them to other players at a discount. This results in cybercriminals profiting from the transactions while the victims’ accounts get banned.