Check Point researchers have discovered multiple security vulnerabilities in Fortnite, a massively popular online battle game, one of which could have allowed remote attackers to completely takeover player accounts just by tricking users into clicking an unsuspectable link.
The reported Fortnite flaws include a SQL injection, cross-site scripting (XSS) bug, a web application firewall bypass issue, and most importantly an OAuth account takeover vulnerability.
Full account takeover could be a nightmare, especially for players of such a hugely popular online game that has been played by 80 million users worldwide, and when a good Fortnite account has been sold on eBay for over $50,000.
The Fortnite game lets its players log in to their accounts using third-party Single Sign-On (SSO) providers, such as Facebook, Google, Xbox, and PlayStation accounts.
According to the researchers, the combination of cross-site scripting (XSS) flaw and a malicious redirect issue on the Epic Games’ subdomains allowed attackers to steal users’ authentication token just by tricking them into clicking a specially crafted web link.
Once compromised, an attacker can then access players’ personal information, buy in-game virtual currencies, and purchase game equipment that would then be transferred to a separate account controlled by the attacker and resold.
images from Hacker News