It looks like Epic Games' Fortnite was host to a series of bugs (that have since been fixed) which, if exploited together, could have exposed the accounts of any of its 200 million players.
This isn't the first time Fortnite vulnerabilities have been exploited. Around this time last year, players noticed that hackers had been making fraudulent charges to their accounts after taking advantage of "well-known hacking techniques."
As reported by Check Point, a cybersecurity firm, if the flaws were exploited they would have stolen the account access token set on the player's device once they entered their password. After the access token had been stolen, it could be used to impersonate the player and log in as if they were the account holder without needing their password.
According to these researchers, the flaw lies in how Epic processes login requests. Hackers could send any user a special link that (on the surface) looks as if it came from Epic Games’ own domain. This in turn would allow a hacker to steal an access token needed to break into an account.
As for how the bug worked, the researchers say that after a user clicks on the link, which points to an epicgames.com sub-domain, the hacker would embed a link to malicious code on their own server by exploiting a cross-site weakness in the sub-domain.
Once clicked, with no need for the user to enter any login credentials, their Fortnite username and password could immediately be captured.
Epic has since fixed the vulnerability.
"We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention," said Epic in a statement.
"As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."
For a more detailed explanation of how the bugs worked, click here.