Fortnite is an excessively popular video game manufactured by Epic Games. This is played online with other players. There are more than 80M users across the world. In this game, as with many others, the goal is to stay alive and survive.
While the game is widely played, there should have been a thorough security testing for this. It appears this was not the case, as a security flaw provided a vulnerability for the Fortnite users. This allowed the users to be recorded during play without their knowledge and access to other sensitive data. The issue was discovered by CheckPoint in November 2018.
The attackers appear to have leveraged an insecure webpage created in 2004, created by Epic Games. They sent phishing emails to Fortnite users using this old website. The phishing emails indeed did appear to be from Epic. The attackers made it very easy for the users, in that all the targets had to do is click a link. This would allow the attackers access to the user’s accounts. This did not require the user to login. This was done through the tried and true XSS attack.
When exploited, this vulnerability allowed the attackers to:
a) Take over the Fortnite accounts,
b) Make unauthorized purchases with the user’s game virtual currency,
c) Eavesdrop on player’s chat, and record the player’s chat.
This may have also exposed the user’s credit card data and other personal information. Due to this, complaints were filed with the Better Business Bureau. The users alleged Epic Games did not protect the user’s data.
Epic Games took down the 2004 website which caused these issues. The company also recommended the players not reuse passwords, use strong passwords, and not share account information with others, or basic security recommendations.
Our environment is not static. This changes all too often. We need to monitor this frequently to check for issues and updates. The company needs to know its web apps and endpoints, and scan these periodically.
Knoop, J. (2019, January 17). Epic patches fortnite security hack that may have exposed more than 200 million players’ accounts. Retrieved from https://finance.yahoo.com/news/epic-patches-fortnite-security-hack-210300634
Oliver, M. (2019, January 18) Fortnite security flaw exposed 80 million players to hacking risk. Retrieved from https://kslnewsradion.com/1896932
Silverstein, J. (2019, January 19). Fortnite security flaw exposed millions of users to being hacked. Retrieved from https://www.cbsnews.com/news/fortnite-security-flaw-exposed-millions-of-users-to-being-hacked/
Tribune Media Wire. (2019, January 18). Fortnite security flaw exposed 80 million accounts. Retrieved from https://wnep.com/2019/01/18/fortnite-security-flaw-exposed-80-million-accounts/
WGNWeb Desk. (2019, January 16). Fortnite security flaw exposed 80 million accounts. Retrieved from https://wentv.com/2019/01/16/fortnite-security-flaw-exposed-80-million-accounts/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!