- Netflix is testing out a random play feature 3 Months Ago
- Teen star Danielle Cohn faked pregnancy for YouTube prank 3 Months Ago
- How to watch ‘A Discovery of Witches’ for free 3 Months Ago
- Rev up your own family rivalries with these ‘Game of Thrones’ board games Today 10:29 AM
- Mueller’s ‘harm to ongoing matter’ is the best way to stay silent about your life Today 10:21 AM
- 10 Korean skincare brands that are worth your money Today 10:00 AM
- 20 unique Mother’s Day gifts for the cool moms Today 9:45 AM
- Ancestry.com ad tries to sell slavery as romance—not rape Today 9:44 AM
- The 9 best Satanic movies on Shudder Today 9:22 AM
- Twitch streamer banned after accidentally revealing racist chats Today 9:21 AM
- This video captures 15 years of meme trends in 10 minutes Today 8:57 AM
- Trump calls parts of Mueller Report ‘total bullshit’ in unfinished tweetstorm Today 8:24 AM
- Amid ‘Avengers’ hype, ‘Spider-Man: Far From Home’ bumps up release date Today 7:57 AM
- Netflix’s ‘Someone Great’ is a coming-of-age rom-com for twenty-somethings Today 7:03 AM
- The best new movies and TV shows to stream this weekend Today 7:00 AM
Millions of Fortnite accounts exposed via Epic Games website exploit
Millions of Fortnite players have been exposed to potential security risks thanks to a vulnerability in the massively popular online game.
Researchers from security firm Check Point published a blog discussing their findings after happening upon a website with a particularly worrying vulnerability in the Epic Games’ online ecosystem.
A website meant to track users’ Unreal Tournament 2004 statistics has been removed in the wake of the Check Point investigation, but researchers found worrying exploit potential when digging into its code. This particular site could be used for malicious purposes, including allowing hackers to obtain access to users’ microphones and Fortnite accounts without the need for usernames or passwords by way of capturing authentication tokens.
Check Point Researchers reveal #vulnerabilities that would allow hackers to take over @FortniteGame gamers’ accounts, data and in-game currency. @_CPResearch_: https://t.co/meD1tc90LI #cloud #twofactor #authentication #SSO pic.twitter.com/6FOwHzVpu2
— Check Point Software (@CheckPointSW) January 16, 2019
Authentication tokens would allow anyone looking to wreak some online havoc to use a pilfered Fortnite account as if it were theirs, down to spending with the credit card on file to rack up V-Bucks charges, or even spy on players using the game. There’s a whole wide world of things malevolent users could do with access to the accounts, though fortunately seeing the entire credit card number isn’t an option.
It’s incredibly easy to gain access with this vulnerability in the wild, too, as Check Point noted. Fortnite players have a variety of different ways to log into their accounts via social media, video game profiles on Xbox One, PlayStation 4, Nintendo Switch, and PC, or their Epic Games accounts. Once they log in with their unique token tied to that platform, hackers could simply use the token and the above-mentioned subdomain to transfer access in a redirect from Epic Games to a hacker. It’s not a difficult process for any hackers worth their salt, either.
“If Google sends a token, then it should go to Epic Games, and that’s it,” Oded Vanunu, Check Point’s head of products vulnerability, disclosed to BuzzFeed News. He explained that this exploit could easily be incorporated into a free V-Bucks scam link shared on social media, which could bait even typically savvy Fortnite players.
Epic Games is aware of the issue, and in a statement, a spokesperson told BuzzFeed News that the vulnerability had since been patched. “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.”
Unfortunately, Epic Games did not disclose whether or not any accounts were accessed with the vulnerability exposed by Check Point, and if they were, what the severity of the damage was. In any case, this is a good reminder to ensure you protect your accounts on every game and application you use, enable two-factor authentication when possible, and keep a close eye on anything you click on related to the game that doesn’t explicitly come from Epic Games or the official Fortnite social media accounts.
While it’s possible accounts weren’t affected or acted upon, it might be a good idea to go change your Fortnite and Epic Games passwords just in case.
Brittany Vincent has covered gaming, anime, tech, and entertainment for over a decade. When she’s not writing, she’s replaying Um Jammer Lammy or Day of the Tentacle for the hundredth time while pining for a Harvester sequel. Find her on Twitter @MolotovCupcake.