Millions of Fortnite accounts exposed via Epic Games website exploit

Millions of Fortnite players have been exposed to potential security risks thanks to a vulnerability in the massively popular online game.

Researchers from security firm Check Point published a blog discussing their findings after happening upon a website with a particularly worrying vulnerability in the Epic Games’ online ecosystem.

A website meant to track users’ Unreal Tournament 2004 statistics has been removed in the wake of the Check Point investigation, but researchers found worrying exploit potential when digging into its code. This particular site could be used for malicious purposes, including allowing hackers to obtain access to users’ microphones and Fortnite accounts without the need for usernames or passwords by way of capturing authentication tokens.

Check Point Researchers reveal #vulnerabilities that would allow hackers to take over @FortniteGame gamers’ accounts, data and in-game currency. @_CPResearch_: https://t.co/meD1tc90LI #cloud #twofactor #authentication #SSO pic.twitter.com/6FOwHzVpu2

— Check Point Software (@CheckPointSW) January 16, 2019

Authentication tokens would allow anyone looking to wreak some online havoc to use a pilfered Fortnite account as if it were theirs, down to spending with the credit card on file to rack up V-Bucks charges, or even spy on players using the game. There’s a whole wide world of things malevolent users could do with access to the accounts, though fortunately seeing the entire credit card number isn’t an option.

It’s incredibly easy to gain access with this vulnerability in the wild, too, as Check Point noted. Fortnite players have a variety of different ways to log into their accounts via social media, video game profiles on Xbox One, PlayStation 4, Nintendo Switch, and PC, or their Epic Games accounts. Once they log in with their unique token tied to that platform, hackers could simply use the token and the above-mentioned subdomain to transfer access in a redirect from Epic Games to a hacker. It’s not a difficult process for any hackers worth their salt, either.

“If Google sends a token, then it should go to Epic Games, and that’s it,” Oded Vanunu, Check Point’s head of products vulnerability, disclosed to BuzzFeed News. He explained that this exploit could easily be incorporated into a free V-Bucks scam link shared on social media, which could bait even typically savvy Fortnite players.

Epic Games is aware of the issue, and in a statement, a spokesperson told BuzzFeed News that the vulnerability had since been patched. “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.”

Unfortunately, Epic Games did not disclose whether or not any accounts were accessed with the vulnerability exposed by Check Point, and if they were, what the severity of the damage was. In any case, this is a good reminder to ensure you protect your accounts on every game and application you use, enable two-factor authentication when possible, and keep a close eye on anything you click on related to the game that doesn’t explicitly come from Epic Games or the official Fortnite social media accounts.

While it’s possible accounts weren’t affected or acted upon, it might be a good idea to go change your Fortnite and Epic Games passwords just in case.