The popular online video game Fortnite is reported by security researchers at Check Point Software Technologies to be harboring a serious vulnerability the exposes millions of players to cybersecurity threats.
This game is played by about 80 million players from across the globe, and it is available across multiple platforms including Windows PCs, Android and iOS devices, PS4, and Xbox One among others.
The fan of the game ranges from casual gamers to professional ones who stream their play via various video game live streaming sites. If attackers exploit the vulnerability, millions of players will be affected.
The unearthed vulnerability is said to have the potential of revealing a player’s online accounts alongside their personal information. The attacker will, therefore, be able to purchase virtual in-game currency using the victim’s card details.
An attacker could also be able to listen in to the victim’s in-game chatter including sounds and conversations within their (victim’s) home, office, whichever location they may be playing the game from.
Previous Scams that have bedeviled Fortnite
This game has had its fair share of vulnerabilities and exploits. It has been reported that players have been duped into logging into a fake website that promises to generate the Fortnite ‘V-Buck’ in-game currency.
The new vulnerability discovered by Check Point Software Technologies can be exploited even without the player giving away any login details. The security firm explains how an attacker can gain access to a user’s account through the new vulnerability discovered in the game’s user login process.
The researchers say the three vulnerability flaws discovered in the Epic Games’ web infrastructure, an attacker can log in via the token-based authentication process used together with the Single Sign-On (SSO) systems such as Google, Xbox, and Facebook. They can then steal the user’s credentials and take over their account.
And all a player needs to do to fall victim to this vulnerability is to click on a crafted phishing link that is generated from an Epic Games domain, which dupes them into thinking it is transparent. While in reality it was sent by the attacker.
A single click would allow the attacker to get the Fortnite authentication token without the player even keying in their login credentials.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, the head of products vulnerability research for Check Point.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.
These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”