Fortnite topped 200 million registered players at the end of 2018, continuing its run of massive growth and dominance in online gaming. But huge platforms also inevitably have huge targets on their backs. Fortnite has already dealt with its share of digital security issues, particularly scams like imposter Android apps. Now, new research from the IT security firm Check Point reveals a trio of vulnerabilities in Fortnite‘s web infrastructure that could have allowed an attacker to take over user accounts.
Check Point researchers disclosed their findings to Fortnite developer Epic Games at the beginning of November. The company patched the bugs a few weeks later. The flaws are significant, though, because they appeared in Fortnite‘s Single Sign-On setup—a mechanism that allows you to log into multiple services with the same account. Such schemes—using your Facebook account to log into an app, say—make it easier for users to keep track of strong login credentials, and can reduce the security demands on a company looking to outsource some of their authentication infrastructure. But Single Sign-On services can also become a single point of failure that potentially exposes not just user accounts on a single service, but across multiple platforms.
“Applications need to talk to third-parties and need to be able to transfer data between applications and many platforms, not just Epic Games, are making mistakes in their implementation of authentication,” says Oded Vanunu, head of products vulnerability research at Check Point. “Today’s cybercriminals and malicious actors want access to users’ accounts, because once you’re in you can start moving around in the cloud. So account takeovers are an emerging attack vector.”
Fortnite allows you to log in with a Facebook, Google, Play Station Network, Xbox Live, or Nintendo account.
The vulnerabilities the Check Point researchers discovered could be played off each other to produce the attack flow. They combined a flaw in a legitimate Epic Games URL, an issue with a page redirect during the Single Sign-On process, and a database query flaw that could all combine to steal a user’s access token—an authentication code SSO generates after the user submits their correct username and password.
“If this were abused against kids, that would be devastating.”
Oded Vanunu, Check Point
To exploit these flaws an attacker would first craft and distribute a malicious link, perhaps in a social media message or forum post claiming to be about a Fortnite promotion. The link could be shortened, but would be a legitimate Epic Games link anyway, and therefore less suspicious, piggybacking on the vulnerable webpage the researchers found. From there the attack moves swiftly. Fortnite users who clicked the link on a device where they were logged in would instantly expose their authentication token for the attacker to steal. From there, she could log into the Fortnite account herself and start listening in on gameplay conversations, accessing personal data in the user’s account, or making in-game purchases on the account credit card—which could potentially aid criminals’ money laundering schemes. The tokens couldn’t be used to separately take over someone’s Facebook account.
Epic has patched the flaws, but it’s always possible that someone aside from Check Point previously discovered the attack. An Epic Games spokesperson told WIRED, “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
The weaknesses in Fortnite are reminiscent of a trio of Facebook bugs that caused the social network’s first full-scale data breach, announced in September. In that case, the attackers similarly abused the three bugs in tandem to steal users’ authentication tokens and take over 30 million accounts. The Facebook hackers seem to have been after personal data, but had full access to do whatever they wanted with victims’ profiles. And while Facebook invalidated the authentication tokens the attackers stole and concluded that they hadn’t been abused beyond Facebook, the situation was an important reminder of the downsides of Single Sign-On schemes.
Check Point’s Vanunu points out that the Fortnite attack is particularly concerning because so many of the game’s users are children. But total account takeover is, of course, a serious concern in any case. “If this were abused against kids, that would be devastating,” Vanunu says. “We want to raise awareness among people who are building new cloud applications to take security very seriously and take time to carefully review the authentication setup.”