- People think Ghislaine Maxwell was Photoshopped in those In-N-Out photos 7 Months Ago
- People are transfixed by a TikTok cat dancing along to ‘Mr. Sandman’ Today 4:52 PM
- Nazi troll pretending to be antifa in Portland gets outed by internet Today 4:15 PM
- ‘Dear White People’ season 3 reflects the exhaustion of the times—for better or for worse Today 3:59 PM
- ‘Seinfeld’ and ‘Friends’ fans feud over which sitcom is better Today 3:57 PM
- Anti-abortion centers are getting around Google’s misinformation policy Today 3:45 PM
- Twitter, Facebook remove Chinese accounts spreading Hong Kong misinformation Today 3:41 PM
- ‘Mindhunter’ season 2 offers no happy endings Today 3:19 PM
- How to watch ‘The Righteous Gemstones’ online Today 3:03 PM
- ‘Mindhunter’ season 2 brings out the memes Today 2:59 PM
- Rumor suggests the X-Men might battle the Avengers on-screen Today 2:54 PM
- The CDC is investigating cases of severe lung damage linked to vaping Today 2:08 PM
- How to stream the 49ers vs. Broncos on (preseason) Monday Night Football Today 1:24 PM
- Trump thinks Google made 16 million people vote for Clinton Today 12:54 PM
- Danny McBride’s ‘The Righteous Gemstones’ is a wicked televangelist comedy Today 12:46 PM
Millions of Fortnite players have been exposed to potential security risks thanks to a vulnerability in the massively popular online game.
Researchers from security firm Check Point published a blog discussing their findings after happening upon a website with a particularly worrying vulnerability in the Epic Games’ online ecosystem.
A website meant to track users’ Unreal Tournament 2004 statistics has been removed in the wake of the Check Point investigation, but researchers found worrying exploit potential when digging into its code. This particular site could be used for malicious purposes, including allowing hackers to obtain access to users’ microphones and Fortnite accounts without the need for usernames or passwords by way of capturing authentication tokens.
Check Point Researchers reveal #vulnerabilities that would allow hackers to take over @FortniteGame gamers’ accounts, data and in-game currency. @_CPResearch_: https://t.co/meD1tc90LI #cloud #twofactor #authentication #SSO pic.twitter.com/6FOwHzVpu2— Check Point Software (@CheckPointSW) January 16, 2019
Authentication tokens would allow anyone looking to wreak some online havoc to use a pilfered Fortnite account as if it were theirs, down to spending with the credit card on file to rack up V-Bucks charges, or even spy on players using the game. There’s a whole wide world of things malevolent users could do with access to the accounts, though fortunately seeing the entire credit card number isn’t an option.
It’s incredibly easy to gain access with this vulnerability in the wild, too, as Check Point noted. Fortnite players have a variety of different ways to log into their accounts via social media, video game profiles on Xbox One, PlayStation 4, Nintendo Switch, and PC, or their Epic Games accounts. Once they log in with their unique token tied to that platform, hackers could simply use the token and the above-mentioned subdomain to transfer access in a redirect from Epic Games to a hacker. It’s not a difficult process for any hackers worth their salt, either.
“If Google sends a token, then it should go to Epic Games, and that’s it,” Oded Vanunu, Check Point’s head of products vulnerability, disclosed to BuzzFeed News. He explained that this exploit could easily be incorporated into a free V-Bucks scam link shared on social media, which could bait even typically savvy Fortnite players.
Epic Games is aware of the issue, and in a statement, a spokesperson told BuzzFeed News that the vulnerability had since been patched. “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.”
Unfortunately, Epic Games did not disclose whether or not any accounts were accessed with the vulnerability exposed by Check Point, and if they were, what the severity of the damage was. In any case, this is a good reminder to ensure you protect your accounts on every game and application you use, enable two-factor authentication when possible, and keep a close eye on anything you click on related to the game that doesn’t explicitly come from Epic Games or the official Fortnite social media accounts.
While it’s possible accounts weren’t affected or acted upon, it might be a good idea to go change your Fortnite and Epic Games passwords just in case.
Brittany Vincent has covered gaming, anime, tech, and entertainment for over a decade. When she’s not writing, she’s replaying Um Jammer Lammy or Day of the Tentacle for the hundredth time while pining for a Harvester sequel. Find her on Twitter @MolotovCupcake.