Fortnite Bug Gave Player Account Access To Hackers
If you or your kids play Fortnite, you may want to check over recent credit card statements to make sure hackers didn't take advantage of a vulnerability in the game that granted unauthorized access to make in-game purchases.
The Duluth News Tribune reports Fortnite developer Epic Games admitted Wednesday of this week that user accounts may have been vulnerable due to a flaw in the game's login system. This flaw would allow hackers to impersonate account owners to purchase V-Bucks, the game's virtual currency, with the real owner's account. The Verge reports that these hackers could then gift V-Bucks to a different account.
Epic Games was made aware of the hack in November of 2018, and The Verge says Epic Games patched the vulnerability within a few weeks. The company did not reveal how many how many accounts were directly impacted by this vulnerability. As a safety measure, it may be a good idea to verify there were no unauthorized purchases made within the game before the patch was implemented toward the end of 2018.
Information security group Check Point Research discovered the bug, stating in a report that there were multiple vulnerabilities in the game's platform "that could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter and background home conversations."
It was later clarified in a comment from Check Point Research to The Verge that hackers wouldn't be able to eavesdrop on a user, but "that the hacker could present themselves as the victim and talk to the player’s friends." This is because Fortnite doesn't allow a user to be signed in from more than one device. This means that individuals that may have been impacted by this hack may have tried to sign in to their account unsuccessfully if a hacker was signed into their account.
The Verge explains that the hack relied the game's single sign-on that uses providers like Facebook, Google, PlayStationNetwork, Xbox Live, and Nintendo to log into their account. In order for the hack to work, a user would need to click on a malicious link sent by hackers that would redirect the user to a page that would steal user login credentials.
As stated previously in this post, this particular hack was fixed, but security experts continue to warn users of the game to be vigilant. With the high popularity of this game, nefarious individuals will continue to try to take advantage of users. It was reported in The Independent on Monday of this week that stolen credit card information is being used to purchase V-Bucks, and then re-sell the V-Bucks to users at a discount to players as part of a money laundering scheme.
It is recommended that users should only use the official Fortnite store on their device, avoid sharing login credentials with others, avoid inputting login credentials on third party websites, and avoid clicking on questionable links where information could be harvested. Also, be wary of offers for free or discounted V-Bucks.