Fortnite login flaw left millions of players exposed to hackers

Check Point researcher tells The Independent he believes it is entirely possible that these flaws could have already been exploited by hackers without victims even knowing

Anthony Cuthbertson

Wednesday 16 January 2019 13:03

✕

Fortnite Battle Royale: Giant purple cube baffles gameplayers

A major security flaw with the hugely popular game Fortnite left millions of players exposed to hackers, according to new research.

Cyber security firm Check Point discovered the vulnerability, which allowed people to steal the login credentials of Fortnite players without them even knowing about it.

For the attack to be successful, all the victim would have to do is click on a link shared via a chatbox on Fortnite or through social media. Once clicked, the hacker could gain access to a player’s username, password, V-bucks currency and any data stored on their account – without the victim even having to enter their login credentials.

The head of the Check Point research team believes it is entirely possible that these flaws could have already been exploited by hackers, despite no reported instances of attackers making use of the exploit.

This is because the method of intercepting the authentication credentials left very little trace. Before publishing the research the Check Point researchers contacted Fortnite developer Epic Games and the vulnerabilty has since been fixed.

“It is possible that the flaws we discovered could have already been exploited by hackers before they were responsibly closed by Epic Games,” Oded Vanunu, head of products vulnerability research for Check Point, told The Independent.

Gadget and tech news: In pictures

Show all 25

1/25Gadget and tech news: In pictures

Russia has launched a humanoid robot into space on a rocket bound for the International Space Station (ISS). The robot Fedor will spend 10 days aboard the ISS practising skills such as using tools to fix issues onboard. Russia's deputy prime minister Dmitry Rogozin has previously shared videos of Fedor handling and shooting guns at a firing range with deadly accuracy.

Dmitry Rogozin/Twitter

Google celebrates its 21st birthday on September 27. The The search engine was founded in September 1998 by two PhD students, Larry Page and Sergey Brin, in their dormitories at California’s Stanford University. Page and Brin chose the name google as it recalled the mathematic term 'googol', meaning 10 raised to the power of 100

Google

Chief engineer of LIFT aircraft Balazs Kerulo demonstrates the company's "Hexa" personal drone craft in Lago Vista, Texas on June 3 2019

Reuters

Microsoft announced Project Scarlett, the successor to the Xbox One, at E3 2019. The company said that the new console will be 4 times as powerful as the Xbox One and is slated for a release date of Christmas 2020

Getty

Apple has announced the new iPod Touch, the first new iPod in four years. The device will have the option of adding more storage, up to 256GB

Apple

Samsung will cancel orders of its Galaxy Fold phone at the end of May if the phone is not then ready for sale. The $2000 folding phone has been found to break easily with review copies being recalled after backlash

PA

Apple has cancelled its AirPower wireless charging mat, which was slated as a way to charge numerous apple products at once

AFP/Getty

India has claimed status as part of a "super league" of nations after shooting down a live satellite in a test of new missile technology

EPA

5G wireless internet is expected to launch in 2019, with the potential to reach speeds of 50mb/s

Getty

Uber has halted testing of driverless vehicles after a woman was killed by one of their cars in Tempe, Arizona. March 19 2018

Getty

A humanoid robot gestures during a demo at a stall in the Indian Machine Tools Expo, IMTEX/Tooltech 2017 held in Bangalore

Getty

A humanoid robot gestures during a demo at a stall in the Indian Machine Tools Expo, IMTEX/Tooltech 2017 held in Bangalore

Getty

Engineers test a four-metre-tall humanoid manned robot dubbed Method-2 in a lab of the Hankook Mirae Technology in Gunpo, south of Seoul, South Korea

Jung Yeon-Je/AFP/Getty

Engineers test a four-metre-tall humanoid manned robot dubbed Method-2 in a lab of the Hankook Mirae Technology in Gunpo, south of Seoul, South Korea

Jung Yeon-Je/AFP/Getty

The giant human-like robot bears a striking resemblance to the military robots starring in the movie 'Avatar' and is claimed as a world first by its creators from a South Korean robotic company

Jung Yeon-Je/AFP/Getty

Engineers test a four-metre-tall humanoid manned robot dubbed Method-2 in a lab of the Hankook Mirae Technology in Gunpo, south of Seoul, South Korea

Jung Yeon-Je/AFP/Getty

Waseda University's saxophonist robot WAS-5, developed by professor Atsuo Takanishi

Rex

Waseda University's saxophonist robot WAS-5, developed by professor Atsuo Takanishi and Kaptain Rock playing one string light saber guitar perform jam session

Rex

A test line of a new energy suspension railway resembling the giant panda is seen in Chengdu, Sichuan Province, China

Reuters

A test line of a new energy suspension railway, resembling a giant panda, is seen in Chengdu, Sichuan Province, China

Reuters

A concept car by Trumpchi from GAC Group is shown at the International Automobile Exhibition in Guangzhou, China

Rex

A Mirai fuel cell vehicle by Toyota is displayed at the International Automobile Exhibition in Guangzhou, China

Reuters

A visitor tries a Nissan VR experience at the International Automobile Exhibition in Guangzhou, China

Reuters

A man looks at an exhibit entitled 'Mimus' a giant industrial robot which has been reprogrammed to interact with humans during a photocall at the new Design Museum in South Kensington, London

Getty

A new Israeli Da-Vinci unmanned aerial vehicle manufactured by Elbit Systems is displayed during the 4th International conference on Home Land Security and Cyber in the Israeli coastal city of Tel Aviv

Getty

“Cloud platforms such as these are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold, so enforcing two-factor authentication should be done to mitigate these types of account takeover vulnerability.”

With more than 80 million players worldwide, Fortnite has become a popular target for cyber criminals over the last year.

Previous attacks have involved links offering free V-bucks that actually spread malware, as well as fake Android apps claiming to be the game itself.

The latest discovery was far more sophisticated and sinister, according to Check Point, and provided the ability for a “massive invasion of privacy.”

The researchers concluded their report: “The underlying takeaway... is to always be vigilant when receiving links send from unknown sources. After all, for the attack to be successful many phishing attacks do not require any further action from the user other than clicking on the link.”

Epic Games did not respond to a request for comment.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies