Check Point security researchers discovered vulnerabilities in Epic Games’ website, which could have been used to hack into someone’s Fortnite account. According to CNET, the researchers found the exploit in November 2018, and it was subsequently fixed by Epic this month.
“We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others,” an Epic Games spokesperson said.
Unfortunately, the exploit was not one that could have been avoided via constant password changes. The vulnerability existed through an unsecured URL that was first created in 2004 for an old Unreal Tournament records page. Before the page was deactivated, a hacker could have used it to take advantage of the access tokens a player might use to log into Epic Games’ servers, and their Fortnite account as a result as well. The hackers wouldn’t even need to know the player’s Epic Game’s password either, as the exploit takes advantage of any corresponding accounts that the player might use to log in, such as Facebook, Google, or Xbox Live. When completed, the exploit allows someone to listen in on the victim’s conversations with other players and also purchase in-game items with the hacked person’s credit card.
“Even if you [had] a security product looking for anti-phishing, it wouldn’t catch [the hack] because it’s coming from a legitimate domain,” Check Point head of products vulnerability research Oded Vanunu said. Vanunu went on to encourage players to enable two-factor authentication for their Epic accounts. Doing so won’t protect you from all forms of hacking attempts, but it will help protect you from people trying to get at your account through access tokens. Epic seemingly agrees, as the company released a free Fortnite emote for players who enable two-factor authentication.
“Token hijacking is something that is happening on all major platforms,” Vanunu continued. “We are starting to see malicious attackers looking for tokens more.”