Fortnite leaks gamers' credentials - Security

Fortnite is so big, criminals are now using it to launder stolen money

Check Point made a decision to probe Fortnite's web infrastructure because of the game's massive popularity and stories involving hackers allegedly circumventing Fortnite's security methods, said Vanunu.

Researchers at security firm Check Point Software used a vulnerability in the online game Fortnite to demonstrate how a security flaw could be used to steal a player's login details.

The vulnerability was discovered "the last few weeks", writes Check Point Research, and "a fix was responsibly deployed" by Epic Games after the company was notified.

Check Point said all that was required for the attack to be successful was for a victim to click on a malicious link sent to them by hackers.

Netflix claims roughly 139 million paying subscribers globally, while Fortnite has more 200 million registered users across PC, Xbox One, PlayStation 4, Nintendo Switch and mobile. According to a report, attackers would be able to take over users' accounts if the users clicked on phishing links sent to them via the platform's messaging system.

As such, Fortnite's security systems have been relentlessly poked and prodded by both the malicious and the benevolent, which brings us to a recent report from Check Point Research, who says that the login page on the Fortnite website has security weaknesses that can be used to intercept someone's password and username. "As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others".

First released in 2017 by American video game developers Epic Games, Fortnite is a free-to-play battle game available on a range of platforms and consoles.

Money launderers use stolen credit cards to purchase V-bucks - which players use to purchase weapons, outfits and other items in the wildly popular game - from the "Fortnite" store and then resell them on the dark web. These emotes are purchased with V-Bucks, which is a form of in-game currency that you can get by spending real money on Fortnite. Epic earns revenue through V-bucks microtransactions.

Check Point said "Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast".

It turns out that when a player logs in to his account by clicking on the "Sign In" button, Epic Games generates a URL containing a "redirectedUrl" parameter. To make things even worse, the security exploit made it possible for third-party entities to access the token set on a player's device after finding out their account ID and passwords.

Related:

Comments

Latest news

12 killed in Zimbabwe crackdown - NGO
Photographs show a protester with a broken leg, another with a split lip, and others of protesters being arrested. More than 400 people arrested across the country have been denied bail, said Mawarire's lawyer, Beatrice Mtetwa.

Australian Open: Bernard Tomic calls Lleyton Hewitt a liar
Hewitt said he didn't feel threatened by Tomic's abuse but was frustrated after trying to help the world No.88 and one-time No.17. However at present there were " cultural standards " not being met that were preventing any imminent return.

Border Patrol Arrests 376 Who Dug Under Barrier in Arizona
Nearly all of the group was made up of families and unaccompanied minors primarily from Guatemala. During Monday's apprehension, only three agents were patrolling a 26-mile stretch of the border.

Ant and Dec reunite for auditions for Britain's Got Talent
In March McPartlin was arrested for drink-driving after he crashed his Mini Cooper into two cars in Richmond, Southwest London. Anthony McPartlin and his Britain's Got Talent co-star Declan Donnelly were all smiles as they reunited for the show on Friday.

Other news