A flaw in Fortnite that was discovered by researchers from a security solutions provider allowed hackers to take control of a player’s account, and to access his confidential data. Corrected since then by Epic Games, this breach made it possible to use the recorded credit card and listen to the games without the players’ knowledge.
Thanks to its team of researchers, security systems publisher Check Point Software Technologies discovered a flaw in the Fortnite video game that potentially affected all registered accounts, 200 million players worldwide. The main version of the game, called Fortnite Battle Royale, consists of a player-to-player battle, with games involving up to 100 players at a time, organized in teams of two or four, or solo. They must scan the map for weapons, objects, and resources. The last team still alive wins the game.
Players can buy V-Bucks, the virtual money of the game, by spending real cash after recording their credit card information, and most often, their parents’ credit card information. These purchases offer no strategic advantage and are mainly used to obtain cosmetic improvements. Despite this, accounts can be resold on specific sites for several hundred dollars, making them a target of choice for hackers. The most common scams use fake sites that promise players free or discounted V-Bucks, encouraging them to identify themselves and therefore give the website their password.
Hacking with a single click
The discovery of the Israeli research team is much more sophisticated and consists of a flaw in the identification through another sub-domain of the publisher Epic Games. The website, dedicated to the results of Unreal Tournament 2004, contained a SQL vulnerability. The team took advantage of this opportunity to steal the user’s OAuth identification token, which allows them to identify themselves with a third-party account, such as Facebook, Xbox Live, Nintendo, Google or PlayStation Network. This token is sufficient to access the player’s account on the site. The attack takes the form of a link, for example by promising promotional V-Bucks. Just clicking on the link allows the pirate to steal the token, no further action is required.
The researchers’ demonstration shows that they were able to access the entire account and even buy virtual currency with the registered credit card. However, the intrusion is not limited to the personal information on the site. By logging into the account, a potential hacker could have followed the discussions in the game, including the audio talks. Any intruder would not only have been able to hear the player talking but also conversations from other people in the background, near the microphone.
The vulnerability is already fixed
Even if fixed with a patch, the fact remains that this breach, not exploited in its current state since discovered by researchers, could encourage pirates to dig deeper into the game’s protections to exploit other vulnerabilities. And this time, it is not sure that the publisher will be informed.