Researchers from Check Point Software Technologies discovered security vulnerabilities in the Fortnite’s login process that could have allowed a threat actor to take over the account of any user, view their personal account information, purchase virtual in-game currency and eavesdrop on in-game chatter as well as home conversations.

Created by Epic Games, an American video game developer, Fortnite is the game played by nearly 80 million people worldwide and is responsible for almost half of their $5bn-$8bn estimated company value.

Previous scams took the role of deceiving players into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency, a commodity that can usually only be acquired through the official Fortnite store or by earning them in the game itself. These sites promote players to enter their login credentials, as well as personal information like name, address and credit card details (usually of the player’s parents) and are spread via social media campaigns that claim players can “earn easy cash” and “make quick money”.

Check Point's researchers however, relied on a far more sophisticated and sinister method, that did not require the user to hand over any login details whatsoever. Instead, it took advantage of Epic Games’ use of authentication tokens in conjunction with Single Sign-On (SSO) providers such as Facebook, Google, X-Box and others that are built in to Fortnite’s user login process.

Due to flaws found in Epic Games’ web infrastructure, the researchers were able to identify vulnerabilities with the token authentication process to steal the user’s access token and perform an account takeover.

A flaw was found in Epic Games login page, accounts.epicgames.com. As this domain had not been validated, it was susceptible to a malicious redirect. As a result, Check Point's team redirected traffic to another, though not in use, Epic Games sub-domain.

It was on this sub-domain, also containing security flaws, that the research team was able to identify an XSS attack to load a JavaScript that would make a secondary request to the SSO provider, for example, Facebook or Google+, to resend the authentication token. The SSO provider would correctly resend the token back to the login page. However, this time due to the malicious redirect, the token would be sent back to the manipulated sub-domain where the attacker is able to collect the token via his injected JavaScript code.

For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them. To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker.

With the access token now in the hands of the attacker, he can now log in to the user’s Fortnite account and view any data stored there, including the ability to buy more in-game currency at the user’s expense. He would also have access to all the user’s in-game contacts as well as listen in on and record conversations taking place during game play.

Along with this massive invasion of privacy, the financial risks and potential for fraud is vast. Users could well see huge purchases of in-game currency made on their credit cards with the attacker funneling that virtual currency to be sold for cash in the real world.

Epic Games recently fixed the flaw, the Israeli cyber security company said. The company encourages for users to enable two-factor authentication. By doing so, and when logging into their account from a new device, the user is required to enter a security code that is then sent via email to the account owner.