Vulnerability in Fortnite authentication system affects user accounts

Security investigators were able to steal access tokens attacking an Epic Games subdomain

According to network security and ethical hacking specialists from the International Institute of Cyber Security, a recently discovered vulnerability in the account authentication system of Epic Games for the popular videogame Fortnite left exposed the gamers’ accounts. According to reports, malicious users could have stolen login tokens; the attackers only needed the victims to click on a specially crafted link.

A cross-site scripting (XSS) attack, in conjunction with an invalidated subdomain, enabled cybersecurity experts to evade the protection measures implemented by the login control system used to access Fortnite.

“Single Sign-On (SSO) systems may be useful, but only while the platform accessed is not vulnerable”, as considered by network security experts. When properly implemented, user authentication passes into the hands of a third party developer, which authorizes access to the platform via a one-use token.

Researchers from a network security firm managed to exploit the vulnerability to request the single token on a second occasion and then redirect it to a compromised site, from where it could be stolen. The researchers concluded that Epic Games used an invalidated domain for their login page (accounts.epicgames.com), which could be redirected to another site. After redirecting the token to the vulnerable site, experts were able to steal it with a JavaScript code injection.

For the attack to succeed, the victim is required to click on a specially crafted phishing link. When the victim accesses Fortnite, the login page is redirected to the attacker’s website, where the token will be stolen. This attack may not be the most elaborated one, but attackers require certain technical expertise beyond those required to deploy phishing campaigns or brute force attacks.

As an attack of average complexity, the investigators do not rule out that the vulnerability has been exploited in the wild, although this is hardly verifiable. On the other hand, Epic Games issued a statement mentioning that the vulnerability was corrected in early December 2018, but omitted to mention whether there are any evidence that the bug has been exploited at some point.

Fortnite has become incredibly popular, with almost 80 million players a month, plus about 200 million players registered on the platform.