A series of vulnerabilities in the hugely popular online survival game Fortnite could have allowed malicious actors to take over players’ accounts, prompting developer Epic Games to fix the issues before a major incident transpired, according to researchers who discovered the program.
Had the flaws been exploited, attackers could have victimized gamers by viewing their account information, purchase the in-game currency known as V-bucks or even record players’ chats and background home conversations, Check Point Software Technologies researchers Alon Boxiner, Eran Vaknin and Oded Vanunu revealed today in a new report.
Unlike other recent malicious Fortnite campaigns, a scam using these vulnerabilities would not have required fooling victims into entering their account information into a phishing page, the report explains. Instead, the attackers could have captured users’ credentials simply by tricking them into clicking a link, with no further interaction needed.
The main source of trouble was a web page with an old Fortnite sub-domain that was determined to be susceptible to SQL injection attacks via cross-site scripting (XSS). Additionally, the researchers found that Fortnite’s single sign-on (SSO) mechanism for game authentication used a redirect URL parameter that could have been manipulated to redirect users to any web page featuring the *.epicgames.com domain, including the aforementioned page containing the XSS vulnerability.
Had attackers sabotaged that page with an XSS payload designed to interact with the SSO, they could have then initiated a fraudulent authentication and hijacked the redirected user’s account. The researchers testing this technique initially found that Epic Games’ web application firewall solution blocked such an action, but they soon realized they could bypass the WAF by replacing the script source URL with a shortened URL.
Because the Fortnite SSO feature is generic in nature, the attack technique would have presumably worked across multiple platforms, including the PlayStation Network, Xbox Live, Nintendo, Facebook and Google+.
“We were made aware of the vulnerabilities and they were soon addressed,” an Epic Games spokesperson told SC Media. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
“In the case of Epic Games, successful harvesting of the SSO access token demonstrates how a single application vulnerability is rarely the cause of an account being compromised or a data breach. In the proof of concept, we see SQL injection, cross-site scripting, and the bypass of a web application firewall were all part of the attack chain,” said Tim Mackey, technical evangelist at Synopsys,” in emailed comments. “SQL Injection and XSS are perennial items on the OWASP Top 10. While a WAF was present, it’s bypass clearly demonstrates how a WAF alone can’t protect an application without application specific knowledge. Importantly, that underlying application issues like SQL Injection and XSS weren’t resolved in code, but instead a WAF was employed as a primary defense mechanism should raise alarm bells within Epic Games.”