ShareThis Page
Major bug in Fortnite gave hackers access to millions of player accounts, researchers say |
More A&E

Major bug in Fortnite gave hackers access to millions of player accounts, researchers say

The Washington Post
| Wednesday, January 16, 2019 12:47 p.m

If you or your child plays Fortnite, you might want to take a closer look at your recent credit card statements.

Epic Games, the maker of the hit online battle royal title, admitted Wednesday that a flaw in the game’s log-in system could have allowed hackers to impersonate real players and purchase in-game currency using the credit cards on file.

It’s unclear how many players may have been directly affected by the bug; Epic declined to comment on the scope of the vulnerability and said the matter has been addressed. But roughly 80 million people play Fortnite every month, and as many as 200 million users have registered accounts, the company has previously said.

“We encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” Epic said in a statement.

Epic’s admission follows a report by Check Point Research, an information security group, which said it privately notified Epic of the flaw after tests revealed it could lead to widespread fraud.

The bug worked by giving hackers the ability to steal pieces of code used to identify a player when he or she logs into the game using a third-party account such as Facebook or Xbox Live, the researchers said. Players could have been exposed to the flaw if they clicked a malicious phishing link designed to exploit the vulnerability. Along with their report, the group also published a YouTube video explaining the research.

After using these security tokens to access a player’s account in Fortnite, hackers could then take actions such as buying in-game currency, according to the report. The report also said, but Epic did not confirm, that hackers could have eavesdropped on players’ conversations in the game’s voice chat.

The enormous popularity of Fortnite makes it a juicy target for hackers, experts say. Check Point did not disclose how long the vulnerability may have existed, nor whether hackers could have siphoned their ill-gotten rewards out of player accounts. But the possibility of a breach affecting the equivalent of two-thirds the U.S. population is a serious risk, the group said.

“Fortnite is one of the most popular games played mainly by kids,” Oded Vanunu, Check Point’s head of products vulnerability research, said in a statement. “These flaws provided the ability for a massive invasion of privacy.”

Categories: Features | More A and E
TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.