Fortnite leaks gamers’ credentials

By on
Fortnite leaks gamers’ credentials

Check Point researchers have identified a security flaw in the hit game Fortnite.

The security outfit claims the problem lies in the game’s login process, which has “vulnerabilities with the token authentication process to steal the user’s access token and perform an account takeover.”

The problem starts at accounts.epicgames.com, which hosts the service players use to log in to the game.

“As this domain had not been validated, it was susceptible to a malicious redirect,” Check Point’s research team allege. “As a result, our team redirected traffic to another, though not in use, Epic Games sub-domain.”

“It was on this sub-domain, also containing security flaws, that our research team was able to identify an XSS attack to load a JavaScript that would make a secondary request to the SSO provider, for example, Facebook or Google+, to resend the authentication token. The SSO provider would correctly resend the token back to the login page. However, this time due to the malicious redirect, the token would be sent back to the manipulated sub-domain where the attacker is able to collect the token via his injected JavaScript code.”

The result? “With the access token now in the hands of the attacker, he can now log in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on and record conversations taking place during game play.”

Check Point said “Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast. Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world.”

The flaws are explained in detail here.

Check Point recommends that Epic Games, Fortnite’s makers, implement two-factor authentication to stamp out this problem. It also suggests that parents “make their children aware of the threat of online fraud and warn them that cyber criminals will do anything to gain access to personal and financial details which may be held as part of a gamer’s online account.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
check point fortnite fraud security

Partner Content

Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security

Log in

Email:
Password:
  |  Forgot your password?