Fortnite leaks gamers’ credentials

By on
Fortnite leaks gamers’ credentials

Check Point researchers have identified a security flaw in the hit game Fortnite.

The security outfit claims the problem lies in the game’s login process, which has “vulnerabilities with the token authentication process to steal the user’s access token and perform an account takeover.”

The problem starts at, which hosts the service players use to log in to the game.

“As this domain had not been validated, it was susceptible to a malicious redirect,” Check Point’s research team allege. “As a result, our team redirected traffic to another, though not in use, Epic Games sub-domain.”

“It was on this sub-domain, also containing security flaws, that our research team was able to identify an XSS attack to load a JavaScript that would make a secondary request to the SSO provider, for example, Facebook or Google+, to resend the authentication token. The SSO provider would correctly resend the token back to the login page. However, this time due to the malicious redirect, the token would be sent back to the manipulated sub-domain where the attacker is able to collect the token via his injected JavaScript code.”

The result? “With the access token now in the hands of the attacker, he can now log in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on and record conversations taking place during game play.”

Check Point said “Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast. Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world.”

The flaws are explained in detail here.

Check Point recommends that Epic Games, Fortnite’s makers, implement two-factor authentication to stamp out this problem. It also suggests that parents “make their children aware of the threat of online fraud and warn them that cyber criminals will do anything to gain access to personal and financial details which may be held as part of a gamer’s online account.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?