Fortnite login vulnerability reportedly allowed hackers access to user accounts, financial data

“The data breach, revealed by Check Point Software, details how a breach in the token-based SSO login system led to severe vulnerabilities for players.”

A rather significant data vulnerability, which has thankfully been patched by Epic Games now, has been reported by security researchers at Check Point Software. The vulnerability, as reported in the information statement released by the security research group, could have affected any of the over-80 million gamers that regularly play Fortnite.

The breach originated by hackers planting a phishing link within two of Epic Games’ own sub-domains, thereby appearing genuine to users that clicked on the link. Once clicked, the user authentication tokens, which essentially are keys that are used to verify logins, could be captured by the hackers, even without users keying in their login details. This then allowed remote access to users’ financial data such as credit cards (used at some point for in-game transactions), as well as a massively critical privacy flaw of leaving hackers with remote access to users’ microphones, thereby gaining access to personal audio snippets as well.

Fortnite Creative - featured

The reason for the vulnerability, along with the two malware-susceptible sub-domains belonging to Epic Games, lies in the procedure of login for Fortnite. It is the same token-based authentication and single sign-on login procedure that is used by the likes of Google and Facebook, as well as many public-end government operations, to allow users to sign in safely to their account. The most alarming part of this hack is how people with malicious intent could hijack user-generated tokens to log into their accounts, even without having exposed their login credentials.

Oden Vanunu, Check Point’s head of vulnerability research of products, said, “Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy. Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.

While the vulnerability has since been patched, it provides an insight into how vulnerable your data can be, especially with the multiple, fragmented logins that you make with each mobile application.