Jason Nurse comments on Fortnite's security flaws
21 January 2019
Dr Jason Nurse from the School of Computing Cyber Security Research Group commented in an article in Wired on security issues with Fortnite.
A security flaw spotted in Fortnite means hackers could have allowed gamers’ login details to be compromised. But developer Epic Games didn’t even respond to the researchers who uncovered the vulnerability which affects the game’s 125 million players.
Security researchers at Check Point Software have revealed they uncovered a vulnerability in the massively popular game’s login system, which could have let attackers takeover an account by tricking players into clicking a link offering V-Bucks, Fortnite’s in-game currency. With account access, hackers could buy more V-Bucks and spend it in-game, passing the loot on to other players, as well as viewing user data including contacts, and listen in on conversations held while playing.
The attack makes use of a set of vulnerabilities in Fortnite’s login process but doesn’t steal players’ passwords. Instead, it nabs the single sign-on (SSO) token used for authentication, such as when you login via Facebook or Google accounts to play the game. Check Point found a flaw in the Epic Games login page that allowed for redirections to another Epic sub-domain, which could be hacked using a cross-site scripting flaw, giving attackers the ability to load a script to make a second request to resend the token, when it would be collected.
“The problem is implementation,” says Oded Vanunu, head of products vulnerability research for Check Point. “I’m changing the [player] to my server, then I’m getting the tokens, and them I’m sending you back to Epic — this implementation should not be happening.”
For the attack to work, hackers would need to create a phishing link, perhaps promising free V-Bucks, and send it to players either via social media or in the game. If players click on the link, the attackers could nab their authentication token, gaining access to their account. Such a simple attack could be effective, says Vanunu, as VBucks are expensive and all-but-necessary for full enjoyment of the game, but also because plenty of players are children.
While advanced Fortnite accounts can be worth hundreds of pounds, because this attack doesn’t leak players’ passwords and Epic requires entering the existing credential to change a password, it should make it harder to wholly steal and sell accounts with this process. That said, hackers could run up bills on credit cards saved to the account and snoop on private data and chats. There is no evidence that the hack was used by criminals.
“We were made aware of the vulnerabilities and they were soon addressed,” an Epic spokesperson said. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.
It’s true that the flaw is now fixed, but Epic Games didn’t react as expected, says Vanunu. Check Point approached Epic with the flaw at the beginning of November, he said, and the developer acknowledged the message was received two days later. Another couple of days passed, and Vanunu sent a follow up asking for a status update when the flaw would be patched and confirmation it was being addressed. “Then, they disconnected and stopped communicating with us,” he says. “We tried to do follow-up and follow-up and follow-up, and they didn’t comment.”
Check Point then started to watch the flaw, to see if and when it was fixed. At the end of December, it was. “We saw that this thing was terminated, and that Fortnite are not communicating with us anymore,” Vanunu says. “So we can go with this and show it to the public. Then we started to share it with the media before publication.”
“Two days ago, magic happened and we got an email from Epic,” Vanunu said, describing Epic as claiming the email fell between the cracks. Asked about this version of events, a spokesperson for Epic Games said the company didn’t have any additional comment.
Vanunu said he expected better from the company, with similar reports to companies like Facebook earning a response within hours. “I was disappointed by the communication with Fortnite,” he says. “It’s a shared responsibility, we are not looking for bounties… we want to make this better and secure.”
With 125m users, security is serious, making Fortnite’s attitude “unfortunate”, says Jason Nurse, assistant professor in cybersecurity at the University of Kent. “Security researchers serve a key function in today's environment as they help to find and resolve security flaws, bugs and unforeseen issues,” he says.
And Fortnite’s popularity will continue to attract hackers, Nurse says, pointing to a rise in attacks such as imposter apps that spread malware and stolen accounts being sold online. “The reality is that cyber criminals are attracted to areas, products and services where there is money to be made and where there are masses of individuals, especially vulnerable ones — including children [and] the elderly,” Nurse says. “Fortnite provides a perfect mix of these factors.”
Epic’s apparent attitude to Check Point’s assistance may seem surprising, but there’s potentially some left over tension after Google and Epic had a public spat in 2018. In August, Epic Games released an installer for the game bypassing Google’s official Play store for Android, requiring players to sideload the app and raising concerns from security experts.
Google’s own researchers swiftly spotted a flaw in the installer that could allow hackers to install dodgy software alongside the game, sparking a row between the companies by publishing the details sooner than Epic would have liked, but after the developer was notified and a patch was available.
“While it's impossible to know what's really going on, there might well be some left over 'tension' here between Fortnite and security researchers,” Nurse says. “It was not too long ago that Fortnite criticised Google's security researchers for disclosing a security flaw in Fortnite too soon, according to Epic Games.”
There are other ways Fortnite players can avoid flaws such as the one spotted by Check Point being used against them or their children.
As ever, never click any link from an unknown origin, and teach any children in your life to do the same – especially if an offer sounds too good to be true. Also, sign up for two-factor authentication, which is offered by Epic Games but isn’t turned on by default, though Epic is actively encouraging Fortnite players to enable 2FA by offering free prizes including the “Boogiedown Emote”, 50 Armory Slots, 10 Backpack Slots, and one “legendary troll stash llama”. Security boost and a stash llama – what more could any Fortnite player want?