Fortnite vulnerability let hackers take over player accounts
A Fortnite security bug let attackers access user accounts after they clicked a suspicious link that was sent to them. Researchers at Check Point Research found the bug and notified Epic Games in November, which then patched the vulnerability within a few weeks.
Epic Games told The Verge in a statement: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
After the takeover, attackers could potentially use the accounts to purchase and gift the in-game currency V-Bucks. Check Point says the bug could even have allowed hackers to eavesdrop on in-game conversations, although it isn’t clear how they could accomplish this since Fortnite doesn’t allow multiple sign-ins to the same account. We’ve reached out to Check Point to ask for further clarification.
The weakness originates in Epic’s Single Sign-On implementation that works for many login providers, including Facebook, Google+, PlayStationNetwork, Xbox Live, and Nintendo. It leads to a redirect URL, which hackers can exploit to redirect a vulnerable webpage that then steals the victims’ username and password. For the hack to work, the attacker sends a malicious link to the user’s Fortnite account, and if the user clicks on it, it will redirect them to a page that steals their login credentials.
Even though this particular hack was patched, there are still plenty of malicious users targeting Fortnite accounts. Just this week, The Independent reported money laundering schemes involving stolen credit card details that were being used to buy V-Bucks and then were sold back to players at a discount through the dark web.
Content courtesy of TheVerge.com published on , original article here.