With a game as widely played as Fortnite, the potential for security holes gets bigger with the sheer number of people playing. A rather nasty one found in Fortnite, and stamped out by Epic just recently, shows how bad some of these can get.
According to a report from Variety, an exploit was discovered in November that allowed hackers to completely take control of someone else’s account. The bug, found by security firm Check Point Technologies Software, made every part of the account vulnerable: the attacker could buy items using the victim’s credit card and even pose as the victim in the game’s chats.
This was accomplished without the need of login information at all. Authorization tokens would pass through Epic’s sub-domains that could be intercepted by hackers through a redirect. The token thief would then be able to just login in as the person whose token they intercepted. There was still some phishing involved, though the link required to be susceptible to it looked identical to Epic’s own.
“We were made aware of the vulnerabilities and they were soon addressed,” Epic told Variety. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
Epic fixed the exploit this month, so it’s unlikely that this particular avenue will be used again. Still, it’s important to never click account information links without double- and triple-checking that it’s legitimate.