Epic Game’s Fortnite video game has reached record high popularity not only in the battle royale genre but in the video game industry in general. Reaching over 200 million registered users in November 2018 and making a whopping $2.4 billion in profits,[2] it became a lucrative business not only to its developers, but also malicious actors.

From fake Android versions, credit card fraud, hacking attempts to V-bucks generators that steal personal data, Fortnite has seen it all.[3] The most recent vulnerability was reported to Epic games back in November 2018, and it was patched by the developer at the end of December.

Check Point researchers say the attack would be easy to execute

While previously hackers relied on fake websites that prompted users entering their Fortnite login details, this flaw does not require them to provide the information at all. The vulnerability that was found in some developer’s sub-domains allows crooks to obtain username and password for the account, and all the victim has to do is click on a link provided by the attackers. The analyzed domain was ut2004stats.epicgames.com, which is no longer available.

By abusing the flaw on the mentioned domain, security experts managed to launch a second stage attack by using SSO related tokens and taking over the account with the help of OAuth Account. Here’s how Check Point managed to achieve that:[1]

It turns out that when a player logs in to his account by clicking on the “Sign In” button, Epic Games generates a URL containing a “redirectedUrl” parameter. This parameter is later used by “accounts.epicgames.com” in order to redirect the player to his account page.
However, we soon found that it was possible to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain. With the ability to control the “redirctedUrl” parameter, we could redirect the victim to ‘ut2004stats.epicgames.com’, site that contained the XSS payload

Researchers warn that aggressive cyber attacks surrounding Fortnite will not stop

A full account takeover might be devastating for every gamer, as a well-developed account could cost up to $50,000 on eBay. Therefore, stealing such an account would be extremely profitable for the hacker.

Cybercrime related to free vbucks no human verification is not going away anywhere any time soon, as there is a lot of money to be made. Epic Games is trying to battle all the scams, account hacks and the malware that is trying to affect the game. Developers urge users to take some precautionary measures as soon as possible

 Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!