Hacking into Fortnite Accounts

Fortnite is an immensily popular, online survival videogame that is developed by a company called Epic Games .Since its inception in 2017 Fortnite has 80 million users. Due to this massive userbase Fortnite has become an attraticve target for criminal activities.Security Researchers at Cybersecurity firm Check Point have discovered multiple vulnerabilities in the online platform hosted by Epic Games. According to the researchers, security loopholes in the infrastructure of the online platform would allow hackers to take control over any player account, to view account information, to buy the in-game virtulal currency at the expense of the user and to eavesdrop upon in-game conversations.The Researchers stated that the web based portal was prone to Cross Site Scripting Attack, SQL Injetion Attack.

The Researchers at Check Point discovered a vulnerability in some of the sub-domains of Epic Games. Taking undue advantage of the vulnerability and making the user click on links, the attackers were able to capture the login credentials of the user and hence compromising the security of the user account. These links were made alluring to the user in order to make the user click on them.A bug detected on the login page of Epic games, accounts.epicgames.com enabled the attacker to maliciously redirect the traffic to a sub-domain of Epic games which was not in use. The sub-domain too had security flaws and was succeptible to attacks. The Security Researchers devised a Cross Site Scripting Attack that would run a malicious JavaScript.The JavaScript was programmed to make a secondary request to the Single Sign On Authentication Provider.Hence the vulnnerability was also linked with the technical aspect of Single Sign On Authentication Session between PlayStationNetwork,Xbox Live,Nintendo,Facebook,Google and the Epic Games Server. The Researchers/Attackers were able to capture the token sent by the SSO providers using the malicious JavaScript. So in order to make the attack work it was necessary for the attackers to make the user click on phishing links.

Once the attacker had the login credentials of the user he could buy the in-game virtual currency at the expense of the victim and sell it on some other website for real world currency. Hence there was financial risk involved too.Such attacks could be prevented if the companies keep a tab on the inactive domain names which would act as a back door for the hackers. Regular Security Audits of the IT infrastructure and deploying security mechanisms is what Companies can do. Although Epic Games patched this bug in their recent update, ‘Confidentiality’ which is an important aspect of the CIA triad was severly compromised.

Cite this page