Security experts uncovered a hole in the Fortnite sign-on process. A single false click was enough for hackers to get the data. 80 million accounts were potentially at risk.

Israeli Ethical Hacking

Who are the security experts? The company is called “Check Point”. This is an Israeli security company. Their experts have tried to find security vulnerabilities in Fortnite and have actually found it. These are basically “hackers on the side of the good.”

That’s why they all test Fortnite: The company says the online game Fortnite is such an important target because it logs in 80 million accounts every month.  these are the probable number of active players assumed by the security company.

These players have personal information, credit card information and other delicate information associated with their account. This data can be accessed by the hackers and they can sell it. As the head of the “Check Point” researchers says, platforms like Epic would be more and more in the focus of hackers because so much sensitive data was stored there. In addition, there is a lively market to sell such accounts, which have some prestigious skins.

The Problem

Experts identified three vulnerabilities in Epic Games’ server structure and exploit them. This is partly because Epic wants to make it as easy as possible for players to log into Fortnite. Therefore, Epic allows access through “third parties” such as Google or Facebook. 

This process creates an “authentication” token. The attackers were able to pick this up because the login page “accounts.epicgames.com” was vulnerable to a redirect. So the attackers could load a Java script on another side of Epic Games website, to which then players were lured, so they could get access to the login data.

What did players have to do wrong?

For the hack, it was enough for players to click on a “redirecting link”, such as a link in an email that promised them free v-bucks: a popular medium. As soon as the players just clicked on the link, the hackers already had the data.

The players did not even have to give their account data. This could have been done by hackers with the data: The attackers could have charged the credit cards, picking up data or listening to the in-game chat. The people of Check Point have already shared all findings with Epic Games before publishing. They have now closed the security holes, as the page Forbes reported.

The experts recommendations

The company recommends each customer to rely on two-factor authentication. Epic agrees. The pros advise companies like Epic to work with other major gaming companies. Blizzard would have the same problems for years. An industry that makes billions would have to share its methods with others, showing that it cares about the well-being of its customers and fans.

So will Fortnite manage to black the hackers or will hackers continue to exploit Fortnite’s somewhat fragile security? Only time will tell.