A vulnerability in the hugely popular online game Fortnite enjoyed by 80 million people worldwide has been revealed that could compromise the user ‘s account, personal information and credit card details.
Researchers at Check Point Software revealed details of the vulnerabilities which would provide full access to a user’s account and even allow them to listen in on in-game chatter as well as conversations with the victim’s home.
This isn’t the first time the popular game has been targeted by scams. Previous threats put Fortnite’s in-game currency at risk.
In the past, players had also been tricked into logging into fake websites that could also generate V-Buck in-game currency without even handing over any login details.
Check Point Software researchers said the weakness existed in the Fortnite user login process.
Three vulnerabilities were found in Epic Games’ web infrastructure. Researchers were able to recreate the token-based authentication process used with the Single Sign On (SSO) systems including Facebook, Google and Xbox.
To become a victim, all players needed to do was click on a phishing link coming from an Epic Games domain.
If this link is clicked, the user’s Fortnite authentication token could be captured by the attacker without the need for the user to enter login credentials.
Check Point notified Epic Games about the vulnerability which is now been amended.
But users are advised to take care when exchanging information digitally, to be wary when engaging with others online and to check to see whether links are valid before clicking.
To minimise the threat, users are encouraged to establish two factor authentication which requires a security code sent to your email address whenever logging into your account from a new device.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.
“These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”