Fortnite login flaw left millions of players exposed to hackers

Check Point researcher tells The Independent he believes it is entirely possible that these flaws could have already been exploited by hackers without victims even knowing

Anthony Cuthbertson
Wednesday 16 January 2019 13:03 GMT
Fortnite Battle Royale: Giant purple cube baffles gameplayers

A major security flaw with the hugely popular game Fortnite left millions of players exposed to hackers, according to new research.

Cyber security firm Check Point discovered the vulnerability, which allowed people to steal the login credentials of Fortnite players without them even knowing about it.

For the attack to be successful, all the victim would have to do is click on a link shared via a chatbox on Fortnite or through social media. Once clicked, the hacker could gain access to a player’s username, password, V-bucks currency and any data stored on their account – without the victim even having to enter their login credentials.

The head of the Check Point research team believes it is entirely possible that these flaws could have already been exploited by hackers, despite no reported instances of attackers making use of the exploit.

This is because the method of intercepting the authentication credentials left very little trace. Before publishing the research the Check Point researchers contacted Fortnite developer Epic Games and the vulnerabilty has since been fixed.

“It is possible that the flaws we discovered could have already been exploited by hackers before they were responsibly closed by Epic Games,” Oded Vanunu, head of products vulnerability research for Check Point, told The Independent.

“Cloud platforms such as these are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold, so enforcing two-factor authentication should be done to mitigate these types of account takeover vulnerability.”

With more than 80 million players worldwide, Fortnite has become a popular target for cyber criminals over the last year.

Previous attacks have involved links offering free V-bucks that actually spread malware, as well as fake Android apps claiming to be the game itself.

The latest discovery was far more sophisticated and sinister, according to Check Point, and provided the ability for a “massive invasion of privacy.”

The researchers concluded their report: “The underlying takeaway... is to always be vigilant when receiving links send from unknown sources. After all, for the attack to be successful many phishing attacks do not require any further action from the user other than clicking on the link.”

Epic Games did not respond to a request for comment.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in