Vulnerabilities Discovered in Fortnite Expose Players to Account Takeover Risks
Research teams at Check Point have identified a series of critical security vulnerabilities within Fortnite, the globally popular online battle royale game, which could potentially allow remote attackers to seize player accounts merely by convincing users to click on deceptive links.
Among the reported vulnerabilities are SQL injection flaws, cross-site scripting (XSS) issues, and a web application firewall bypass. Most alarming of all is an OAuth vulnerability that poses a significant threat to account integrity. The repercussions of a full account takeover can be severe, particularly given Fortnite’s massive player base of 80 million users, with accounts reportedly fetching prices of up to $50,000 on resale platforms.
Players often utilize third-party Single Sign-On (SSO) options to log into their Fortnite accounts, leveraging services from well-known providers such as Facebook, Google, Xbox, and PlayStation. This convenience, unfortunately, also opens avenues for exploitation.
Check Point researchers have explained that a combination of XSS vulnerabilities and a malicious redirect concern on Epic Games’ subdomains could enable attackers to harvest users’ authentication tokens. By simply luring victims into clicking a specially crafted link, adversaries could gain access to personal data, effectively allowing them to purchase in-game currencies and items, which would then be channeled to accounts controlled by the attackers, potentially leading to monetary profits.
Concerns extend to financial transactions, as affected users could witness unauthorized in-game currency purchases on their credit cards, with attackers converting virtual assets into real cash. According to Check Point’s blog, similar scams have already emerged, taking advantage of Fortnite’s popularity.
Additionally, attackers could access a player’s in-game contacts and discussions, which raises serious privacy concerns for users who may have shared sensitive information during gameplay.
Check Point also identified a specific SQL injection vulnerability in Epic Games’ infrastructure that may lead to database version exposure. Furthermore, researchers successfully bypassed a misconfigured web application firewall, enabling the execution of an XSS attack on the user login process.
Following these findings, Check Point promptly alerted Epic Games, which addressed the vulnerabilities in mid-December. Both companies emphasize the importance of user vigilance when exchanging information online, advising players to scrutinize the legitimacy of links found on Fortnite forums and sites.
To fortify their accounts against potential breaches, players are encouraged to activate two-factor authentication (2FA), which requires users to input a security code sent to their email during the login process.
In summary, these vulnerabilities underscore the growing risks in digital gaming environments, where sophisticated tactics could allow adversaries to execute initial access techniques, privilege escalation, and persistence—highlighted in the MITRE ATT&CK framework. As cyber threats evolve, both players and developers must remain proactive in securing their digital interactions.