Discovered by the researchers of a publisher of security solutions, a flaw in Fortnite allowed to take control of a player’s account, and access his confidential data. Corrected since, by Epic Games, this gap permitted to use the bank card recorded and listened to the parties without the knowledge of the players.
Thanks to its team of researchers, the security system editor Check Point Software Technologies has discovered a flaw in the Fortnite video game that potentially affected all registered accounts or 200 million players around the world. This game starts with the teams of 100 people, and they search the map for weapons, items, and resources. The last team still alive wins the game.
Players can buy V-Bucks, the virtual money of the game, by spending real money after recording their credit card information, and most often that of their parents. These purchases offer no strategic advantage and are mainly used to obtain cosmetic improvements.
Despite this, accounts can be resold on specific sites for several hundred euros, turning them into a target of choice for hackers. The most common scams use fake sites that promise players free or discounted V-Bucks, prompting them to log in and thus giving the site their password.
The discovery of the Israeli research team is much more sophisticated and consists of a flaw in the identification through another subdomain of the publisher Epic Games.
The site http://ut2004stats.epicgames.com, dedicated to the results of Unreal Tournament 2004, contained a SQL flaw. The researchers were able to use it to steal the user’s OAuth identification token, which allows him to identify himself with a third party account, such as Facebook, Xbox Live, Nintendo, Google or PlayStation Network.
This token is sufficient to access the player’s account on the site. The attack takes the form of a link, V-Bucks on sale. Just clicking on the link allows the hacker to steal the token, no further action is needed.
The researchers’ demonstration shows that they were able to access the entire account and even buy the virtual currency with the bank card registered.
However, the intrusion is not limited to personal information on the site. By logging into the account, a potential hacker could have followed the discussions in the game, including audio talks. Any intruder would have heard not only the player voice but also conversations from other people in the background, near the microphone.
The already corrected flaw
Epic Games promptly responded in a statement to US colleagues:
” We were informed of these vulnerabilities, and we quickly corrected them. We thank Check Point for alerting us. As always, we encourage players to protect their accounts by not reusing the same passwords but different passwords with a high level of security and avoiding sharing their account information with other players. “
Even corrected with a patch, the fact remains that this breach, not exploited in the state since discovered by researchers, could encourage hackers to dig the protections of the game further to use other flaws. And this time, it is not sure that the publisher will be informed.