On Jan. 16, internet security firm Check Point Research disclosed a vulnerability in the popular online video game that could have allowed malicious actors to take over practically any Fortnite account - all a player had to do was click a malicious link.
To fall victim, users needed only to click on a crafted phishing link fraudulently coming from an Epic Games domain. Once the user authenticates into Fortnite, the login page redirects to the attacker's page, which asks the SSO provider for the access token.
A successful attack would have relied on users clicking on a malformed Epic Games login link, however, the link's format wouldn't have raised many issues with less technical users, who would have been unable to spot the malformed parameters. "Although completely to stop such criminal activity is extremely hard, you can take several steps to mitigate this phenomenon, including monitoring the transfer of valuable goods in the game, identify players with large stockpiles of V-bucks" - said Benjamin Preminger, senior intelligence analyst at the Sixgill.
Its players are often targeted for the V-Bucks - short for Vindertech Bucks or Vinderbucks in their accounts, an in-game currency that can be used to get cosmetic items for your character or to give it a competitive advantage through weaponry.
The good news is that Fortnite's developer, Epic Games, fixed the problems.
If exploited, the vulnerability would enable hackers purchase virtual in-game currency using the victim's payment card details, the company said in a statement late Thursday.
Free-to-play titles as a whole earned $87.7 billion past year, accounting for 80% of the $109.8 billion digital games revenue in 2018. It appears like there is a flaw in the way Epic Games processed logins, which made it easier to steal user's information.
"Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches", said added Vanunu.
It also encourages players to use two-factor authentication, which will require them to enter a security code sent to their phone upon login.
The Fortnite security flaw initially started due to an Epic Games page from 2004 that created a small loophole for hackers to take over people's accounts.