Fortnite vulnerabilities put millions of players at risk
Researchers from global security company Check Point have shared details of vulnerabilities that could have affected any player of the popular online battle game, Fortnite.
The Epic Games offering has almost 80 million players globally, and is popular across all platforms, including Android, iOS, PC via Microsoft Windows and consoles such as Xbox One and PlayStation 4.
As well as casual players, Fortnite is used by professional gamers who stream their sessions online.
Due to its popularity, this is not the first time Fortnite has caught the eye of cyber attackers. Previous scams attempted to trick players into logging into fake Web sites, with promises of generating the game's 'V-Buck' in-game currency, that can usually only be bought through the official store, or earned while playing the game.
The illegitimate sites prompted players to enter game logins and other personal information, including name, address and credit card details.
More sophisticated, sinister
According to Check Point's researchers, the new vulnerability is far more sophisticated and sinister, and requires no handing over of any login credentials.
The vulnerability found in some of Epic Games' sub-domains could see an XSS attack occur should the user click on a link sent to them by the cyber criminal.
An XSS attack is a type of injection, in which malicious scripts are injected into otherwise harmless and legitimate Web sites. Once clicked, without even having to enter any details, their game username and password could fall into the hands of attackers.
If exploited, the vulnerability would have given the cyber criminals total access to the user's account and their personal information, and would have allowed them to buy virtual in-game currency using the target's payment card details.
In addition, it would have enabled a massive invasion of privacy as the threat actor could eavesdrop on in-game chatter, as well as surrounding sounds and conversations in any location the victim was playing the game.
The researchers said the potential exploit originated from flaws found in two of Epic Games' sub-domains that were susceptible to a malicious redirect, allowing users' legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.
Massive invasion of privacy
Oded Vanunu, head of products vulnerability research for Check Point, says the flaws provided the ability for an enormous invasion of privacy. In conjunction with the vulnerabilities Check Point recently discovered in the platforms used by drone manufacturer DJI, these flaws highlight how susceptible cloud applications are to attacks and breaches.
"These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability," he adds.
Check Point has notified Epic Games of the vulnerability, which has now been fixed. However, it advises users to remain vigilant whenever exchanging information digitally, and to practise safe cyber habits when engaging with others online.
"Users should also question the legitimacy of links to information seen on user forums and Web sites."
Moreover, to lessen the chances of falling foul to attacks of this nature, the company advises users to enable two-factor authentication, meaning that when logging into their account from a new device, the player would need to enter a security code sent to the account-holder's e-mail address or mobile phone.