Check Point researchers have identified a security flaw in the hit game Fortnite.
The security outfit claims the problem lies in the game’s login process, which has “vulnerabilities with the token authentication process to steal the user’s access token and perform an account takeover.”
The problem starts at accounts.epicgames.com, which hosts the service players use to log in to the game.
“As this domain had not been validated, it was susceptible to a malicious redirect,” Check Point’s research team allege. “As a result, our team redirected traffic to another, though not in use, Epic Games sub-domain.”
The result? “With the access token now in the hands of the attacker, he can now log in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on and record conversations taking place during game play.”
Check Point said “Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast. Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world.”
The flaws are explained in detail here.
Check Point recommends that Epic Games, Fortnite’s makers, implement two-factor authentication to stamp out this problem. It also suggests that parents “make their children aware of the threat of online fraud and warn them that cyber criminals will do anything to gain access to personal and financial details which may be held as part of a gamer’s online account.”