- Epic Games’ Fortnite is found to have many security vulnerabilities that can allow threat actors to snatch personal information of online players.
- Security firm Check Point has come up with an analysis showing these vulnerabilities.
Popular online game Fortnite has now become a breeding ground for malicious entities thanks to security vulnerabilities found in the game. Cybersecurity firm Check Point identified the online platform for security loopholes and documented various threats that could hijack players’ accounts.
Security issues associated with Fortnite mainly revolved around the makers’ subdomains.
“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker,” wrote Check Point in their research.
SQL Injection + XSS attack
The sub-domain ‘http://ut2004stats.epicgames.com’ led the researchers to elements of a possible SQL injection vulnerability. DIving further into it, they found out that a web application firewall (WAF) was working incorrectly.
Furthermore, the sub-domain had a web page called ‘maps’ which had a misplaced search bar acting as an injection gateway for XSS vulnerability.
After a few days, Check Point’s researchers observed the Single Sign-On(SSO) implementations used by Epic Games. It turned out that it could be redirected to other links after users logged in, thus making attackers opt for a XSS attack. This can allow threat actors to modify the victims’ Fortnite account. Suppose if the victim has credit card details to make in-game purchases, these details can easily be scooped off.
To much relief of the gamers, Epic Games has patched this vulnerability when Check Point performed the analysis and informed the game maker of the issue.