Hackers most recently found a security flaw that gave them the ability to control gamers' accounts, make in-game purchases and even enter in-game chats as the hacked player or listen to the hacked player's conversations, according to an Israeli software firm.
Check Point Software Technologies found the vulnerability in the tremendously popular game, the company said in a blog post Wednesday.
"Fortnite" developer Epic Games was notified of the vulnerabilities, and "they were soon addressed," a spokesperson told Variety, a weekly magazine about entertainment.
The flaws were found "in the last few weeks," according to the blog post. Variety reported that the security gaps were discovered in November. It's not clear why accounts of when the flaw was found differ.
One essential ingredient to the would-be hack were third-party single-sign-on (SSO) providers like Google, XBox or Facebook that allow players to login with their username and password from one of the SSOs. After confirming one's details with the SSO, an SSO token is created and logs the user in.
Whereas previous scams directed gamers to fake websites claiming to create "Fortnite's" in-game currency, V Bucks, and required them to enter personal information like credit card details, the technique discovered by Check Point "did not require users to hand over any login details whatsoever," the cybersecurity firm said.
Check Point learned how to hack "Fortnite" by noticing a flaw on login page accounts.epicgames.com. The page was not "validated" and was "susceptible to a malicious redirect," the report notes. The security researchers then redirected traffic from
accounts.epicgames.com to another Epic Games sub-domain, and conducted an attack requiring JavaScript to make a second request to the SSO, which would then send another authentication token.
Due to issues with Epic Games' web infrastructure, those authentication tokens could be stolen when a hacker's malicious JavaScript asked the SSO to send a second token. With the token, the hacker could then run through a player's account and view its data, including personal information. The exploit would also allow the hacker to conduct surveillance on the hacked account's communications with other gamers.