Gamasutra is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
June 17, 2021
arrowPress Releases

If you enjoy reading this site, you might also want to check out these UBM Tech sites:

Epic fixes  Fortnite  security flaw which left all 200M+ players vulnerable

Epic fixes Fortnite security flaw which left all 200M+ players vulnerable

January 16, 2019 | By Emma Kidwell

January 16, 2019 | By Emma Kidwell
    Post A Comment
More: Console/PC, Design

It looks like Epic Games' Fortnite was host to a series of bugs (that have since been fixed) which, if exploited together, could have exposed the accounts of any of its 200 million players

This isn't the first time Fortnite vulnerabilities have been exploited. Around this time last year, players noticed that hackers had been making fraudulent charges to their accounts after taking advantage of "well-known hacking techniques." 

As reported by Check Point, a cybersecurity firm, if the flaws were exploited they would have stolen the account access token set on the player's device once they entered their password. After the access token had been stolen, it could be used to impersonate the player and log in as if they were the account holder without needing their password.

According to these researchers, the flaw lies in how Epic processes login requests. Hackers could send any user a special link that (on the surface) looks as if it came from Epic Games’ own domain. This in turn would allow a hacker to steal an access token needed to break into an account.

As for how the bug worked, the researchers say that after a user clicks on the link, which points to an sub-domain, the hacker would embed a link to malicious code on their own server by exploiting a cross-site weakness in the sub-domain.

Once clicked, with no need for the user to enter any login credentials, their Fortnite username and password could immediately be captured.

Epic has since fixed the vulnerability.

"We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention," said Epic in a statement. 

"As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

For a more detailed explanation of how the bugs worked, click here.

Related Jobs

innogames — Hamburg, Germany

Concept Artist - New Mobile Game
Gameloft Australia Pty Ltd
Gameloft Australia Pty Ltd — Brisbane, Queensland, Australia

Lead Game Designer
Yacht Club Games
Yacht Club Games — Los Angeles, California, United States

Mid-Senior Game Designer
Hinterland Studio Inc.
Hinterland Studio Inc. — Vancouver/Victoria, British Columbia, Canada

Systems Design Lead (Co-Op, Online, New IP)

Loading Comments

loader image