A Fortnite security flaw was discovered by Check Point Research towards the end of 2018. The vulnerability allowed hackers to easily initiate a phishing scheme by sending users links that looked like login pages, but actually harvested user accounts.
CPR notified Epic Games of the flaw in November, and Epic patched the vulnerability weeks later. However, during that time — and for some time before CPR sent the notice — Fortnite users were at serious risk of fraud.
CPR details exactly how the exploit worked in a very technical explanation on its blog. However, the gist of the process was fairly simple:
- Hackers exploit the single-sign-on system Fortnite uses, which allows a user to login to Fortnite using other accounts, such as Facebook, Nintendo, Google+, etc.
- The hackers then send a link to a user which looks legit. However, it actually redirects them through a different server which scrapes their login info.
- Since the link looked legit and the user didn’t have to actually enter their credentials, the user thinks nothing happened.
- Hackers obtain the login info, overtake the account, and use the attached payment options to make fraudulent transactions.
According to The Verge, hackers who used this exploit would buy Fortnite’s in-game currency (V-Bucks) using the hijacked accounts, gift those V-Bucks to another account, and then sell the V-Bucks at a discounted rate to other players on the dark web.
Fortnite earns billions of dollars from in-game sales, so this fraudulent activity could be quite lucrative.
Epic Games said in a statement: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
Although this vulnerability is now patched, this should be a reminder to all to use strong passwords, change them often, and only enter credentials into trustworthy websites.
NEXT: Fortnite update hub