This article was published on January 17, 2019

Fortnite vulnerability could have left millions of credit cards exposed

Fortnite vulnerability could have left millions of credit cards exposed
Rachel Kaser
Story by

Rachel Kaser

Internet Culture Writer

Rachel is a writer and former game critic from Central Texas. She enjoys gaming, writing mystery stories, streaming on Twitch, and horseback Rachel is a writer and former game critic from Central Texas. She enjoys gaming, writing mystery stories, streaming on Twitch, and horseback riding. Check her Twitter for curmudgeonly criticisms.

Just as triumphant reports come in about Fortnite‘s success, the world’s most popular game is forced to contend with stories about security vulnerabilities that could have exposed its millions of players to hackers.

Data analysis firm SuperData today reported that Fortnite earned $2.4 billion in revenue last year, topping the list of games for the year (and probably beating out top earners of years past easily). While both Fortnite and its battle royale mode launched in 2017, it didn’t really take off until 2018, with the help of popular streamers and YouTubers spreading the word.

For the uninitiated, the game is free-to-play, but gamers can (and evidently do spend money) on in-game items. Now we have some idea of just how much money the game’s 200 million players are spending.

But there’s a dark side to having so many people willing to spend their money on the game: namely, that shady characters want a piece of it.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Yesterday, security firm Check Point published a report detailing flaws in Fortnite‘s login system which would allow a crafty hacker to access a user’s account credentials. According to the researchers’ findings:

To fall victim to this attack, a player needs only to click on a crafted phishing link coming from an Epic Games domain, to make everything seem transparent, though sent by the attacker. Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials. According to Check Point’s researchers, the potential vulnerability originated from flaws found in two of Epic Games’ sub-domains that were susceptible to a malicious redirect, allowing users’ legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

Once the fiend accessed the login credentials, they could potentially take over the account, access financial information, and pose as the user online. Startlingly, Check Point’s researchers apparently found this exploit also allowed an attacker to “listen to and record in-game chatter as well as surrounding sounds and conversations within the victim’s home or other location of play.”

The risk of credit card theft is particularly alarming. Suddenly that report about the game generating billions in revenue begins to look a bit sinister. The fact that there are so many players in Fortnite spending money makes the game look like a big, juicy target.

Oded Vanunu, head of product vulnerability research at Check Point, said of the security problem:

Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy… These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.

There doesn’t seem to be any evidence that the vulnerability was ever exploited… at least, not on a grand scale. In a statement to The Verge, Epic Games said it’d patched the issue and reiterated its stance on security: “As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

Last year, Epic Games tried to promote the use of two-factor authentication via a new emote reward. Presumably this is an attempt to counter-balance the stories about minors being conned into handing account details to strangers.

We’ve contacted Epic Games for more information, and will update if receive it.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with