Players who love to indulge in online battle should heed caution when playing Fortnite, according to researchers at Check Point who have disclosed vulnerabilities that could give a malicious actor access to a user’s account and their V-Bucks.
In addition to gaining full access to a user’s account, an attacker who exploited the vulnerability – which has now been fixed – could have eavesdropped on a player’s in-game conversations, potentially also picking up any sounds in the background where the game was being played, researchers said.
According to today’s press release, an attacker could have stolen login credentials by exploiting three flaws found in the web infrastructure of Epic Games, specifically in compromised sub-domains through which the malicious actor could intercept authentication tokens.
The attack, which reportedly could be executed in a single click, would grant an attacker the ability to purchase virtual in-game currency using the victim’s payment card details and then be sold for real money outside the game.
“Researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox” and reported the vulnerability to Epic Games, the press release stated.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point in a press release.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability,” continued Vanunu.
Still, Check Point advised players to remain vigilant and use discretion when sharing information online and cautioned that because of the increasing popularity and success of phishing campaigns, players should keep in mind that there are many dubious and dangerous links that should not be trusted.