Fortnite Security Exploit Could Have Allowed Hackers to Take Over Accounts and Eavesdrop on Users


Security researchers discovered security vulnerabilities in Fortnite that could allow hackers to take control of user accounts. No login details needed. The vulnerabilities were discovered in Epic Games' online platform by Check Point security firm and reported to the company in November. The company silently patched the bugs in December.

These vulnerabilities "could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter and background home conversations," Check Point report reads.

Epic vs. Apple Lawsuit Takes a Fresh Twist, With Attorneys General for 34 U.S. States Claiming the iPhone Maker ‘Stifles Competition’

"We were made aware of the vulnerabilities and they were soon addressed,” Epic Games said in a statement. "We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

However, for once this Fortnite security problem didn't have to do anything with passwords

While Epic Games mentions passwords, this particular issue was actually the game developer's fault. The research team found a vulnerability in some of the Epic Games’ sub-domains that opened ways for phishing attacks.

"By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker." Check Point (emphasis is ours)

Fortnite has over 80 million players across different platforms, making any vulnerabilities incredibly useful to scammers and attackers. But to its credit, Epic Games was quick to fix the bug.

While this may not have been related to passwords, the company's suggestion to use strong passwords isn't to be ignored. Every now and then we hear about a new Fortnite-related scam or hack so it is strongly advised to use strong passwords and NOT to click on random links just because they read "Fortnite hacks" or "Fortnite cheats"...

Check Point report is available here with more details.