Fortnite Bugs Gave Hackers Access To Millions of Player Accounts, Researchers Say

Researchers at cybersecurity firm Check Point say three vulnerabilities chained together could have allowed hackers to take control of any of Fortnite's 200 million players. "The flaws, if exploited, would have stolen the account access token set on the gamer's device once they entered their password," reports TechCrunch. "Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password." From the report: The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games' own domain and steal an access token needed to break into an account.

Here's how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker. "If the victim user is not logged into the game, he or she would have to log in first," a researcher said. "Once that person is logged in, the account can be stolen." Epic Games has since fixed the vulnerability.

Re: Why is Pelosi such a TRAITOR?

Answer me that. Is it the dementia, alzheimers, or BOTH?

Re:Why is Vladimir Putin defending Trump suddenly

i guess Democrats got tired of being called traitors all these years so they have to keep making shit up.

Sadly, the left and Democrats are traitors and should be treated as such. Prison is too good for them.

It wuz haxx0rz!

Nope, just BeauHD getting off on clickbait.

"Hackers" is here again code for "we fucked up but we'll blame the bogeyman anyway".

Re: Why is Pelosi such a TRAITOR?

I'd sure love to be the meat in a Nancy Pelosi / Kellyanne Conway sandwich. Hawt!

of course

[phantomfive]

It worked for the devs. Why test every corner case? Why even think about that? It was passing the unit tests, and everyone is doing token based auth.

Re:of course

Flawless code takes infinitesimal effort. At some point you just have to ship. The most important moral when internetting is not to put all your eggs in one basket because someone else is eventually going to take a basket.

Re:of course

[phantomfive]

We're not talking about some complex algorithm here. This isn't machine learning, it's not something experimental. It isn't something new. Log-in code is something that we've known how to do for decades.

If you can't be bothered to test it, then use a library written by someone who did.

Re:of course

infinitesimal == next to zero. I don't think you meant to write 'Flawless code takes no effort'.

Re: of course

"we've known"

Who are "we"? Your gay club butt buddies?

Re: of course

You are insinuating that he is a member of a "gay club", but I fail to see how you deduced this based on the information given in his post.

Re: Why is Pelosi such a TRAITOR?

Well, that is because fortnite implemented reverse security in the client. The service responds to access requests it doesnt make those requests

The user clicks on a link,

Sure some people are dumb but honestly who clicks any link they aren't expecting?

Re: The user clicks on a link,

Affiliate code stuffers tucked in right where you would expect them

Re:The user clicks on a link,

[locopuyo]

"millions" according to the shitty click bait headline

Re:The user clicks on a link,

Because there are plentiful ways to mislead people to click on a link. Even careful person could fall for it once in a while. It is just how attacker crafts the message in order to entice/mislead the recipient to click on it.

Re: Why is Pelosi such a TRAITOR?

If fortnite were the government they would have done it the other way and twice on Sunday but they are not. Capiche?

Doesn't Fortnite have anti-cheat?

Yet all it does is stop Linux users from playing, not actual cheaters. Funny, that.

CAP = obvious

It would probably improve my score

[wed128]

I played a little bit of Fornite, and found it incredibly difficult. I hope my account gets stolen because whoever steals it is invariably better at Fortnite then me.

Re:It would probably improve my score

[Locke2005]

Yeah, I let other people play on my daughter's account, to up her stats!

This explains a lot

[kmg90]

This explains how my Epic account was breached last year even though it used a UNIQUE password. $600 dollars withdrawn from my Paypal account (saved prior authorization that was immediately removed after this incident) within a matter of 30 seconds.

Even after enabling 2FA my account was still breached, my user name was changed to random alphanumeric nonsense and my friends' list deleted. It wasn't until I changed my password that the unauthorized activity stopped... apparently killing any existing valid authentication tokens.
So either two ways this could have happened:

1. Epic's account database was compromised (possible but no public breach has ever been announced)
2. Some exploit in authenticating account access

I'm confused

[Locke2005]

If somebody takes over your account, can't you just create a new account? Seems like all you would lose would be your friend lists... unless you were stupid enough to actually buy in-game items that are purely cosmetic.