informa
News

Epic fixes Fortnite security flaw which left all 200M+ players vulnerable

It looks like Epic Games' Fortnite was host to a series of bugs (that have since been fixed) which, if exploited together, could have exposed the accounts of any of its 200 million players. 

It looks like Epic Games' Fortnite was host to a series of bugs (that have since been fixed) which, if exploited together, could have exposed the accounts of any of its 200 million players

This isn't the first time Fortnite vulnerabilities have been exploited. Around this time last year, players noticed that hackers had been making fraudulent charges to their accounts after taking advantage of "well-known hacking techniques." 

As reported by Check Point, a cybersecurity firm, if the flaws were exploited they would have stolen the account access token set on the player's device once they entered their password. After the access token had been stolen, it could be used to impersonate the player and log in as if they were the account holder without needing their password.

According to these researchers, the flaw lies in how Epic processes login requests. Hackers could send any user a special link that (on the surface) looks as if it came from Epic Games’ own domain. This in turn would allow a hacker to steal an access token needed to break into an account.

As for how the bug worked, the researchers say that after a user clicks on the link, which points to an epicgames.com sub-domain, the hacker would embed a link to malicious code on their own server by exploiting a cross-site weakness in the sub-domain.

Once clicked, with no need for the user to enter any login credentials, their Fortnite username and password could immediately be captured.

Epic has since fixed the vulnerability.

"We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention," said Epic in a statement. 

"As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

For a more detailed explanation of how the bugs worked, click here.

Latest Jobs

Infinity Ward

Woodland Hills, California
11.3.21
Sr. Multiplayer Design Scripter/Programmer

Disbelief

Cambridge, Massachusetts
11.3.21
Jr. Programmer

XSEED

Torrance, California
11.3.21
Head of Marketing
More Jobs   

CONNECT WITH US

Register for a
Subscribe to
Follow us

Game Developer Account

Game Developer Newsletter

@gamedevdotcom

Register for a

Game Developer Account

Gain full access to resources (events, white paper, webinars, reports, etc)
Single sign-on to all Informa products

Register
Subscribe to

Game Developer Newsletter

Get daily Game Developer top stories every morning straight into your inbox

Subscribe
Follow us

@gamedevdotcom

Follow us @gamedevdotcom to stay up-to-date with the latest news & insider information about events & more