Fortnite’s Vulnerability: Only the Secure Survive

By Richard Clayton, Research Product Marketing

 

For the last two hundred years, Darwin’s ‘Survival of the Fittest’ theory of natural selection has shaped our view of man’s existence on earth. In the last couple of years, though, Fortnite, the massively popular online game played by millions worldwide, has taken this concept of survival to a whole new level.

 

Played in a virtual world, players of Fortnite are tasked with testing their endurance as they battle other online players for tools and weapons that will keep them secure and the ‘last man standing’. In the last few weeks, however, Check Point Research discovered security vulnerabilities in the game’s login process that could have allowed a threat actor to take over the account of any user, view their personal account information, purchase virtual in-game currency and eavesdrop on in-game chatter as well as home conversations.

Video of Attack:

Previous Fortnite Hacks

 

Created by Epic Games, an American video game developer, Fortnite is the game played by nearly 80 million people worldwide and is responsible for almost half of their $5bn-$8bn estimated company value. With such a meteoric rise in fortune, it is no surprise the popular game has already attracted the attention of cyber criminals set on conning unsuspecting players.

 

These scams previously took the role of deceiving players into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency, a commodity that can usually only be acquired through the official Fortnite store or by earning them in the game itself. These sites promote players to enter their login credentials, as well as personal information like name, address and credit card details (usually of the player’s parents) and are spread via social media campaigns that claim players can “earn easy cash” and “make quick money”.

 

Our team’s research, however, relied on a far more sophisticated and sinister method, that did not require the user to hand over any login details whatsoever. Instead, it took advantage of Epic Games’ use of authentication tokens in conjunction with Single Sign-On (SSO) providers such as Facebook, Google, X-Box and others that are built in to Fortnite’s user login process.

 

The Usual Fortnite Authentication Process

 

For a user to log in to Fortnite using a third party such as Google or Facebook, the below diagram illustrates what process this usually takes.

 

 

 Diagram: Fortnite’s usual token authentication process

 

Due to flaws found in Epic Games’ web infrastructure, though, our researchers were able to identify vulnerabilities with the token authentication process to steal the user’s access token and perform an account takeover.

 

How the Attack Works

 

A flaw was found in Epic Games login page, accounts.epicgames.com. As this domain had not been validated, it was susceptible to a malicious redirect. As a result, our team redirected traffic to another, though not in use, Epic Games sub-domain.

 

It was on this sub-domain, also containing security flaws, that our research team was able to identify an XSS attack to load a JavaScript that would make a secondary request to the SSO provider, for example, Facebook or Google+, to resend the authentication token. The SSO provider would correctly resend the token back to the login page. However, this time due to the malicious redirect, the token would be sent back to the manipulated sub-domain where the attacker is able to collect the token via his injected JavaScript code.

 

For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them. To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker.

 

Diagram: The attack flow to steal a user’s login token and perform an account takeover

 

The Damage Caused

 

With the access token now in the hands of the attacker, he can now log in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on and record conversations taking place during game play.

 

Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast. Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world. After all, as mentioned above we have already seen similar scams operating on the back of Fortnite’s popularity.

 

Key Takeaways

 

It is important that organizations with customer facing online portals, and such like, carry out proper validation checks on the login pages they ask their users to access. They must also perform thorough and regular hygiene checks on their entire IT infrastructure to ensure they have not left outdated and unused sites or access points online. When attackers are constantly on the lookout for the weakest link in your company’s online presence, these often unknown and unprotected pages can easily serve as a backdoor to your enterprise’s main network.

 

It is also strongly advised, as Epic Games also encourages, for users to enable two-factor authentication. By doing so, and when logging into their account from a new device, the user is required to enter a security code that is then sent via email to the account owner.

 

For consumers, previous scams involving Fortnite provide reason for players to only use the official website when downloading or purchasing add-ons for games. It is also important that parents make their children aware of the threat of online fraud and warn them that cyber criminals will do anything to gain access to personal and financial details which may be held as part of a gamer’s online account.

 

The underlying takeaway, however, is to always be vigilant when receiving links sent from unknown sources. After all, for the attack to be successful many phishing attacks do not require any further action from the user other than clicking on the link.

 

Conclusion

 

With so much data stored online, especially in the cloud, the way that data is accessed must be thoroughly reviewed and improved on a regular basis. Despite new regulations such as GDPR, data breaches via account takeovers still occur on an almost daily basis and the damage they cause can easily impact on whether or not an organization lives to fight another day.

 

So, in the ever changing cyber threat landscape, it appears Charles Darwin’s observations perhaps ring more true today than they ever did, for “it is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change.”

 

For full technical details of this research, please visit Check Point Research.