Fortnite had a security vulnerability that let hackers take over accounts

An unsecured page for Unreal Tournament from 2004 came back to haunt Epic Games.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Security researchers found a vulnerability that hackers could use to take over Fortnite accounts. 

Epic Games

Attention all epic Fortnite gamers: your accounts were in great danger.

Security researchers from Check Point found vulnerabilities with Epic Games' website, which allowed potential hackers to log into people's Fortnite accounts without needing a password. Once they had access to the compromised accounts, the researchers found that you could listen in on friends' conversations and use the victims' credit card information to purchase in-game items.

The researchers discovered the vulnerabilities in November, and it was fixed by January. 
"We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others," an Epic Games spokesperson said. 

Fortnite had a breakthrough year in 2018, with nearly 80 million players. Its parent company, Epic Games, was estimated to profit $3 billion last year, and valued at more than $15 billion for the free game. With the game's massive popularity comes security concerns.

In August, Epic Games fixed a security flaw with its installer for Android devices, after researchers from Google disclosed a vulnerability that could have tricked victims into installing a fake version of the game. Because the game is so popular, security researchers have found that Fortnite is a major target of malware, with a surge of fake apps popping up online.

"We started to hear there was a lot of abuse at Fortnite's network," said Oded Vanunu, Check Point's head of products vulnerability research. "This is more than a game -- this is a huge infrastructure that's serving 80 million players, who are mostly kids."

Epic Games has attempted to address security concerns by encouraging its players to enable two-factor authentication through giveaways.  

Despite Fortnite's security measures over the last year, it was an Epic Games page from 2004 that created a small opening for hackers to take over people's accounts.

Check Point's researchers found an unsecured URL from over a decade ago, on ut2004stats.epicgames.com -- a records page for Unreal Tournament, a first-person shooter that Epic Games first developed in 1998.

The page, which has since been deactivated, was open to cross-site scripting attacks -- when someone injects malicious code into a website. The researchers wrote code and injected it onto the webpage to redirect access tokens to Check Point's servers instead of Epic Game's.

Think of access tokens as authentication outside of passwords -- they're codes generated by platforms to keep you logged in so you don't need to log in every time you visit a page. When hackers stole personal information on 29 million people on Facebook, they used access tokens to do it. The Fortnite vulnerability takes advantage of the many different ways you can log into your Epic Games account, using access tokens from Facebook, Google and Xbox accounts.   

The attacker would have to send the phishing link on the platform the victim logs into Fortnite from -- so if you tied your Epic Games' account to Facebook, the hack would have to go through the social network, said Eran Vaknin, a security researcher at Check Point.

Once you click on the link, that data is extracted, even if the victim doesn't type anything in.

"The attack is happening automatically without any user interference," Vaknin said.

Because the compromised page had an Epic Games' URL, it would appear less suspicious to victims, Vanunu said. It's similar to a vulnerability that Check Point's researchers discovered with accounts for DJI's drones last March, which the company fixed in September.
In that vulnerability, Vanunu was also able to inject malicious code on DJI's own domain page to steal access tokens.

"Even if you have a security product looking for anti-phishing, it wouldn't catch it because it's coming from a legitimate domain," the security researcher said.

He warned that as people become more aware of phishing attacks and more careful about typing passwords on suspicious pages, hackers would be targeting access tokens instead. Vanunu encouraged enabling two-factor authentication to protect your accounts -- which Epic Games has made efforts to promote as well.

"Token hijacking is something that is happening on all major platforms," Vanunu said. "We are starting to see malicious attackers looking for tokens more."

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.