A weakness in Epic Games’ authentication process for the highly popular Fortnite left gamers’ accounts exposed to take over risks. An attacker could have stolen login tokens by just tricking the victim into clicking a link.
The combination of an unvalidated subdomain and cross-site scripting (XSS) in another allowed security researchers to bypass the protections implemented by the single sign-on (SSO) access control mechanism used for logging into Fortnite.
SSO is good if login page is not vulnerable
When properly implemented, SSO shifts the authentication responsibility to a trusted third party (Google, Facebook, X-Box, PlayStation), which authorizes access to the resource with an access token.
Taking advantage of the flaws, security researchers at Check Point were able to request a second time the authentication token from SSO provider and redirect it to a vulnerable page that allowed stealing it.
Epic Games used an unvalidated domain for the login page accounts.epicgames.com, which could be redirected to another online location.
A successful attack requires the victim to click on a phishing link. Once the user authenticates into Fortnite, the login page redirects to the attacker’s page, which asks the SSO provider for the access token. The provider complies and the attacker gets the token.
An attack of this type is far from sophisticated, but it requires some technical knowledge, and it is far more advanced than run-of-the-mill phishing scams, or the password guessing/brute-forcing that usually target Fortnite accounts.
Because of this, Check Point told internetnewsblog, that it could be possible that the flaws they uncovered and reported to Epic Games were exploited. However, it is difficult to confirm this because of the numerous login stealing attack targeting Fortnite over the past year.
Check Point have released a video showing the exact steps of the attack and how easy it would have been to trick a Fortnite user into clicking the wrong link.
Epic Games fixed the issues in early December and did not say if they were exploited before that.
Crooks are after the in-game currency
“With the access token now in the hands of the attacker, he can now log in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on conversations taking place during gameplay,” Check Point says.
Its players are often targeted for the V-Bucks – short for Vindertech Bucks or Vinderbucks in their accounts, an in-game currency that can be used to get cosmetic items for your character or to give it a competitive advantage through weaponry.
Since real money is involved, criminals often use Fortnite to launder their proceedings by getting V-Bucks with stolen credit cards. The in-game currency is then sold at a discount price. At the moment, 1,000 V-Bucks cost $10.