Multiple Fortnite flaws allowed experts to takeover players’ accounts

Security researchers at Check Point have discovered several flaws in the popular game Fortnite that could be exploited to takeover gamers’account.

Security experts at Check Point discovered several issues in the popular online battle game Fortnite. One of the flaws is an OAuth account takeover vulnerability that could have allowed a remote attacker to takeover gamer accounts tricking players into clicking a specially crafted link.

Remaining flaws discovered by the experts include a cross-site scripting flaw, a SQL injection, and a web application firewall bypass bug.

The figures behind Fortnite are impressive, Fortnite has roughly 80 million monthly players, according to EpicFull, the game is responsible for almost half of their $5bn-$8bn estimated company value

Fortnite allows players log in to their accounts using Sign-On (SSO) implemented by third-party applications, such as Facebook, Google, Xbox, and PlayStation accounts.

“Due to flaws found in Epic Games’ web infrastructure, though, our researchers were able to identify vulnerabilities with the token authentication process to steal the user’s access token and perform an account takeover. ” reads the analysis published by CheckPoint.

The experts demonstrated that was possible to takeover a Fortnite account by chaining a cross-site scripting (XSS) flaw and a malicious redirect vulnerability on the Epic Games’ subdomains.

Researchers initially discovered a vulnerability in the Epic Games login page, accounts.epicgames.com. They noticed that the domain had not been validated and it was susceptible to a malicious redirect. The experts were able to redirect traffic to another Epic Games sub-domain that was not used. This sub-domain was also affected by multiple flaws, including an XSS bug that allowed them to load a JavaScript that would make a secondary request to the SSO provider. The SSO provider (i.e. Facebook or Google) in turn, resends the authentication token. By exploiting the redirect issue, the token sent by the SSO provider is hijacked to the sub-domain under the control of the attackers instead of the login page. The researchers used an injected JavaScript code to capture the token.

“For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them. To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker. ” continues the analysis published by the experts.

For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them. To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker.

Once obtained the token, an attacker could impersonate the victim and act on his behalf (access personal information, buy more in-game currency at the user’s expense, listen in on and record conversations taking place during game play).

“Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world,” continues Check Point.

“After all, as mentioned above we have already seen similar scams operating on the back of Fortnite popularity.”

Checkpoint published a video PoC of the attack:

Check Point reported the flaws to Epic Games that fixed them in mid-December.

Full technical analysis of the flaws is available on Check Point Research.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Fortnite)

[adrotate banner=”5″]

[adrotate banner="13"]