Middleman Vulnerability Handed Hackers Fortnite Accounts

Epic Games’ massively popular Fortnite is a natural target for hackers, and one particularly devious exploit that was found by Check Point Research and subsequently patched allowed hackers to glean players’ account details undetected through a middleman attack of sorts. Players were required to do nothing more than click on a link sent to them by the hackers, and the attack would then take advantage of Fortnite’s cross-platform multi-login capabilities to grab a player’s details in transit to the legitimate server.

Once the compromised details were in hackers’ hands, they could not only get into players’ accounts to make fraudulent V-Bucks purchases or transfer existing V-Bucks to mule accounts, but could even hop on in other platforms at the same time as the player, and eavesdrop on in-game and background conversations. In essence, the hack gave outside parties full and complete control of unsuspecting players’ Epic Games accounts through Fortnite, and any payment methods associated.

Background: The vulnerability in question was found back at the tail end of 2018, and though it was massive in scale and scope, it could only affect accounts that did not have two-factor authentication enabled. The attack was aimed at some of the subdomains that Fortnite used in its login processes. So long as a player was logged in on a given device, all a hacker had to do was send the player a link, and once that link was clicked, they had the player’s login information.

From there, they had full control of the account. This meant that they could very easily transfer resources around, monitor the player in question, make bogus transactions with linked payment methods, or even lock the player out of their account entirely. The rather vicious exploit has since been patched, but its seemingly innocuous nature made it exceedingly difficult for players to tell that they were falling victim.

One of the more important details in the whole saga was the fact that the exploit could only affect accounts that had not enabled two-factor authentication. Even if hackers got Epic Games account information, that did not give them access to linked email addresses, and obviously didn’t give them the physical access to players’ smartphones needed to get past two-factor authentication through Epic Games’ authentication app. In fact, a login attempt on a two-factor enabled account would alert the player to the heinous act, drawing attention to the hackers.

Impact: Since the hack has been patched up, players need not worry now. Those who were affected have little recourse at this point, unfortunately, save for what Epic Games can do for them. Any app or game as complex and server-heavy as Fortnite is bound to have more vulnerabilities, of course, simply lying in wait for hackers to find and exploit.

The lesson to learn here is to always use two-factor authentication when it’s available, and to change your passwords regularly just in case such an attack nabs your info and you’re left in the dark. That’s no guarantee of safety, of course, as exploits get more and more complex and sinister. It is an added layer of protection, and will ensure that something as simple as a login info grabber won’t manage to get into your account.

Copyright ©2019 Android Headlines. All Rights Reserved
This post may contain affiliate links. See our privacy policy for more information.
You May Like These
More Like This:
About the Author
2018/10/Daniel-Fuller-2018.jpg

Daniel Fuller

Senior Staff Writer
Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, voice assistants, AI technology development, and hot gaming news in the Android world. Contact him at [email protected]
Android Headlines We Are Hiring Apply Now