- Queso recipe gets launched to space Today 10:09 AM
- ‘Isabelle Facts’ was a wholesome queer meme account—until harassers showed up Today 8:28 AM
- 2016 election stories the ‘Newsroom’ reboot will cover Today 6:30 AM
- How to stream Brandon Rios vs. Humberto Soto for free Today 6:00 AM
- ‘The Haunting of Hill House’ heads to ‘Bly Manor’ for next installment Today 5:45 AM
- How to stream James DeGale vs. Chris Eubank Jr. for free Today 5:30 AM
- How to stream UFC Fight Night 145 in Prague for free Today 5:00 AM
- R. Kelly charged in Chicago with multiple counts of sex abuse Friday 7:51 PM
- Elon Musk finally hosts PewDiePie’s meme review Friday 6:27 PM
- Netflix throws ‘Umbrella Academy’-themed wedding for fans Friday 4:54 PM
- Report: Facebook collects app data on users’ body weight, menstrual cycles Friday 3:38 PM
- Amy Klobuchar reportedly ate salad with a comb, and Twitter’s got questions Friday 2:47 PM
- Nobody likes Spotify’s new update Friday 2:34 PM
- Student assaulted on campus while tabling for right-wing group Friday 1:56 PM
- Kim Kardashian West sues fashion company for using her likeness to sell clothes Friday 1:12 PM
Millions of Fortnite accounts exposed via Epic Games website exploit
Millions of Fortnite players have been exposed to potential security risks thanks to a vulnerability in the massively popular online game.
Researchers from security firm Check Point published a blog discussing their findings after happening upon a website with a particularly worrying vulnerability in the Epic Games’ online ecosystem.
A website meant to track users’ Unreal Tournament 2004 statistics has been removed in the wake of the Check Point investigation, but researchers found worrying exploit potential when digging into its code. This particular site could be used for malicious purposes, including allowing hackers to obtain access to users’ microphones and Fortnite accounts without the need for usernames or passwords by way of capturing authentication tokens.
Check Point Researchers reveal #vulnerabilities that would allow hackers to take over @FortniteGame gamers’ accounts, data and in-game currency. @_CPResearch_: https://t.co/meD1tc90LI #cloud #twofactor #authentication #SSO pic.twitter.com/6FOwHzVpu2
— Check Point Software (@CheckPointSW) January 16, 2019
Authentication tokens would allow anyone looking to wreak some online havoc to use a pilfered Fortnite account as if it were theirs, down to spending with the credit card on file to rack up V-Bucks charges, or even spy on players using the game. There’s a whole wide world of things malevolent users could do with access to the accounts, though fortunately seeing the entire credit card number isn’t an option.
It’s incredibly easy to gain access with this vulnerability in the wild, too, as Check Point noted. Fortnite players have a variety of different ways to log into their accounts via social media, video game profiles on Xbox One, PlayStation 4, Nintendo Switch, and PC, or their Epic Games accounts. Once they log in with their unique token tied to that platform, hackers could simply use the token and the above-mentioned subdomain to transfer access in a redirect from Epic Games to a hacker. It’s not a difficult process for any hackers worth their salt, either.
“If Google sends a token, then it should go to Epic Games, and that’s it,” Oded Vanunu, Check Point’s head of products vulnerability, disclosed to BuzzFeed News. He explained that this exploit could easily be incorporated into a free V-Bucks scam link shared on social media, which could bait even typically savvy Fortnite players.
Epic Games is aware of the issue, and in a statement, a spokesperson told BuzzFeed News that the vulnerability had since been patched. “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.”
Unfortunately, Epic Games did not disclose whether or not any accounts were accessed with the vulnerability exposed by Check Point, and if they were, what the severity of the damage was. In any case, this is a good reminder to ensure you protect your accounts on every game and application you use, enable two-factor authentication when possible, and keep a close eye on anything you click on related to the game that doesn’t explicitly come from Epic Games or the official Fortnite social media accounts.
While it’s possible accounts weren’t affected or acted upon, it might be a good idea to go change your Fortnite and Epic Games passwords just in case.
Brittany Vincent has covered gaming, anime, tech, and entertainment for over a decade. When she’s not writing, she’s replaying Um Jammer Lammy or Day of the Tentacle for the hundredth time while pining for a Harvester sequel. Find her on Twitter @MolotovCupcake.