On Wednesday, Epic Games, the creator of the massive hit Fortnite, admitted that because of a flaw in the game’s log-in system hackers could penetrate the game and buy in-game currency.
By utilizing credit cards on file, the hackers “could then have siphoned off those purchases from hijacked accounts into other accounts they controlled, according to security researchers,” as The Washington Post reported.
Although there was no word from Epic Games as to how many players could have been affected, tens of millions of people play the game monthly. Epic released a statement asserting, “We encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
Check Point Research reported, “These scams previously took the role of deceiving players into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency, a commodity that can usually only be acquired through the official Fortnite store or by earning them in the game itself. These sites promote players to enter their game login credentials, as well as personal information like name, address and credit card details and are spread via social media campaigns that claim players can ‘earn easy cash’ and ‘make quick money.’”
But Checkpoint added that its own research did not need the user’s login information. Instead, within the game’s sub-domains, “an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.”
SixGill, a cyber intelligence firm, echoed, “Fortnite’s format and popularity have drawn the attention of cybercriminals, and resulted in a thriving criminal eco-system around the game. As the game’s popularity increases and the financial system around it becomes more diverse, fraud involving games such as Fortnite is likely to become more prevalent.”
Epic spokesman Nick Chester said that a claim that hackers could eavesdrop on conversations was false, stating, “Bad actors/hackers were not able to eavesdrop on conversations as is suggested here. This is not in any way factual.”
Oded Vanunu, Check Point’s head of products vulnerability research, acknowledged, “The chain of the vulnerabilities within the log-in flow provide[d] the hacker the ability to take full control of the account. … Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy.”
CNET reported that Fortnite aided Epic Games to earn $2.4 billion in revenue in 2018, according to SuperData. CNET added, “The shooter game has made a major impact in the free-to-play market because Fortnite’s battle passes — a limited-time in-game purchase that lets players earn digital items by completing challenges — are regularly purchased by 34 percent of Fortnite players, SuperData said. Nexon’s Dungeon Fighter Online came in second with $1.5 billion in revenue. Riot Games and Tencent’s League of Legends took third with $1.4 billion.”