With over 80 million players globally, Fortnite stands out as an undisputed champion when it comes to online gaming. Fortnite has been developed by Epic Games, an American game developer. However, it seems that the same cannot be said for Epic Games when it comes to security and protection of user data. Fortnite accounts for around 50% of Epic Games’ estimated value of $8.5 billion. Considering this meteoric rise, it is only reasonable to accept that this game has already lured a plethora of attackers.
Who found the vulnerability?
Multiple vulnerabilities were found in Fortnite’s online platform by the CheckPoint’s research team in November – December 2018. If successfully exploited, these vulnerabilities would have allowed at an attacker to –
- Take complete control over a user’s account
- View their personal information
- Purchase V-bucks (Virtual in-game currency of Fortnite)
- Record in-game conversation as well as background conversations
How was the vulnerability exploited?
The users i.e. online players were deceived into logging into fake websites which promised that V-bucks could be generated from those sites. It must be noted that V-bucks can either be purchased only from the Fortnite’s online store or earned in the game. These websites prompted a gamer to enter his personal information such as Fortnite username and password, payment information, address, etc. Such scams spread like wildfire via various social media platforms.
On the other hand, the CheckPoint research team found certain vulnerabilities in old sub-domains of Epic Games which did not require a user to hand over his login details in any form. Due to these vulnerabilities, an XSS attack could be carried out requiring a user to merely click on the link sent by the researchers. As soon as a user clicked on this link, the researchers were able to capture the login details even before the user actually entered on the web page associated with the said link.
What did Epic Games do?
The Research team at CheckPoint duly reported these vulnerabilities to Epic Games. Accordingly, Epic Games fixed these vulnerabilities and the risks were successfully mitigated.
Is this the first time?
There were multiple reports in the first few months of 2018 that user accounts are being hacked and various purchases are being made from Fortnite’s online store from those accounts. By the end of March 2018, a sizeable number of users had come forward on social media platforms sharing their stories. The attackers then started selling Fortnite accounts and game codes for a significantly lower price than the actual price on the Fortnite store. In the end, poor security controls and techniques implemented by Epic Games were largely blamed by the security experts around the world.
Information security is a vital component of business continuity management and risk management. In 2019, an organization cannot ignore investing appropriate human, technical, and financial resources for the security of its technical infrastructure. The latest vulnerability found in Fortnite’s online platform as well as the last year incident clearly show Epic Games’ lax attitude towards its security.