Check Point researchers reveal security vulnerabilities in Epic Games’ massively online battle arena, Fortnite, that have allowed hackers to take over player accounts. This comes in the wake of previous hacks, taking over swaths of accounts and selling them.
Fortnite has become a gaming phenomenon since it’s release, the focus being on its Battle Royale mode, dropping 100 players into an arena and letting them fight to the finish. While they weren’t the first to release this gameplay mode, but they’ve increased exponentially and expanded across platforms and even into the mobile market at breakneck speeds.
The most recent hacking attacks against the gaming giant involves a cross-site scripting (XXS) bug that targets one of the epicgames.com subdomains. This is how the unsuspecting link bypassed firewalls. A link was sent to players through the subdomain, indicating that the link was from Epic Games. Once the link is followed, it’s redirected the link to the specially crafted page. From this new page, the account token is taken and sent to the hacker. After this information is submitted, the cycle is completed when the player logs into their account again, sending the username and password to the hacker. Many players won’t know about the breach in their security until they notice that their credentials have been changed.
This isn’t Epic Games’ first interaction with the hacking of their players’ accounts. Previous hacks revolve around credential stuffing, hackers mining lists for exposed usernames/email addresses and passwords obtained by other website breaches. These hackers then take this information and roll the dice. If they’re successful, then these hackers can sell high ranking accounts to other players. This type of hacking isn’t new to Fortnite, being a problem for other MOBAs and MMOs like World of Warcraft and DOTA II.
It’s recommended that to protect privileged information that you attach a two-factor authentication (2FA) to your account, many of which can be placed on your phone via mobile app. The second, most important thing you can do is to periodically change your password, especially if you find that another service you use that been breached in some way.
A spokesperson for Epic Games, Nick Chester, has said that the bug has now been fixed.