Epic Games login tokens were susceptible to theft, research shows

Artwork of the video game "Fortnite" (Epic Games)


Written by

Epic Games, best known for the mega-popular video game “Fortnite,” fixed a vulnerability in its web infrastructure that hackers could have abused to access user accounts, as evidenced by a report from cybersecurity firm Check Point published Wednesday.

The exploit involves phishing, but victims don’t need to be tricked into handing over credentials for it to work, the report shows. The bug only required that the targets visit a malicious link, where their login tokens could be leaked to the attackers.

This type of access could have allowed hackers to see victims’ personal information, listen to their in-game voice chat and purchase V-Bucks — the game’s virtual currency — with other players’ accounts, Check Point said.

Researchers said they found two old sub-domains belonging to Epic Games containing vulnerabilities that allowed for a malicious redirect attack. In a technical report, researchers describe how they were able to take control of these domains and use them to direct visitors’ traffic to another domain. If the victim is already logged in to Epic Games on that device, the attackers can siphon the token that keeps the account logged in, whether the user uses a traditional username and password login or single sign-on process (using Facebook, Google+, Facebook, PlayStation, Xbox or Nintendo account).

Because the attack uses a URL ending in “epicgames.com,” victims might not realize the link is spam.

“It means that I can exploit the user by putting legitimate links from Epic Games on every social media, on every phone, on every blog and say ‘Hey, this is free V-Bucks,’” Oded Vanunu, Check Point’s head of products vulnerability research, told CyberScoop.

Check Point says Epic Games resolved the flaw and there’s no direct evidence that this particular flaw was exploited outside of Check Point’s proof-of-concept. However, Vanunu noted that there have been reports of account takeovers with “Fortnite” players insisting that they never clicked on malicious links or got phished.

“It might be this flaw, it might be another flaw,” Vanunu said, in reference to these account takeover reports. “We just wanted to assure that the awareness would be there and put things on paper.”

An Epic Games spokesperson told CyberScoop: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

Check Point says that enabling two-factor authentication could prevent this vulnerability from being used against someone. Incidentally, Epic Games has offered players a free “emote” (an in-game dance) if they enable 2FA since August.

“Fortnite” has been a dominant cultural phenomenon in the past year. It has had explosive success through its online battle royale mode, with Epic Games claiming about 80 million monthly players and a recent company valuation of $15 billion. The game is free to play, but players can pay to customize their characters by buying skins and dances.

Despite all this, Epic Games received an “F” from the Better Business Bureau because it reportedly failed to answer hundreds of complaints from users. The BBB says some of these complaints stem from unauthorized purchases, but it’s not clear if there’s a connection to Check Point’s findings.

When it comes to security, Epic Games has also been scrutinized for its decision to make the Android version of “Fortnite” downloadable only from its website and not the Google Play Store. Researchers have found fake “Fortnite” apps for Android that can install malware on a user’s phone.

“It’s a very sophisticated, very cool game. But it’s a game that cybercrime started to look for,” Vanunu said.

Vanunu said account takeover attacks like the one shown by Check Point are likely to continue being a problem for gamers because of the way online games are built now.

“Everything today is applications. Everything today is containers, APIs. Everything is connected into the cloud,” he said. “Fortnite is not a game. It’s a platform that serves millions of users.”

-In this Story-

access tokens, authentication, Check Point, Epic Games, Fortnite, video games, vulnerabilities