Fortnite Left Players Open to Account Hijacking, Voice Chat Eavesdropping

Fortnite Left Players Open to Account Hijacking, Voice Chat Eavesdropping

Now that it’s the most popular game in the world, Fortnite has become a target for both lawsuits and hackers. Security firm Check Point Software says Fortnite developer Epic Games had a major vulnerability in its system that could have allowed an attacker to play as the victim, purchase items, and even listen to the player’s microphone.

The vulnerability, which Epic Games confirms it has fixed, is part of its website rather than the game client itself. Like many hacks, it begins with getting the target to click on a malicious link. The attacker’s site doesn’t have to deposit any malware on the system, though. All it has to do is copy the Fortnite login token.

When you’re logged into an online service, your computer most likely has a token that tells the page you are logged in. However, Epic’s account pages are not validated. That means a third-party site like the one designed by Check Point Software can access it. Check Point used a bit of custom JavaScript code to grab the token of any Fortnite players who landed on the page. You can see the hack in action below.

With the login token, it’s a simple matter to launch Fortnite with the victim’s profile. The server sees the hacker’s computer as the same session that was open when the victim clicked on the malicious link. The hacker essentially is you on Fortnite, which gives them a great deal of control.

With access to a Fortnite account, the attacker can spend lavishly on virtual currency to drain your bank account. They can also play the game as you, but that would only cause you grief if they were particularly bad at the game or misbehaved in order to get you banned. Since Fortnite thinks the attacker is you, they also would have access to your voice chat content. That includes the ability to listen in on conversations you’re having via the microphone.

This is not the first time Epic had an embarrassing lapse in security. Shortly after it launched its Android build outside the Play Store, Google noted that the Fortnite installer app could be tricked into loading malware instead of the game. The developer has fixed the hole that allowed extraction of the login token. It also points out all gamers should have two-factor authentication turned on for their accounts.

Continue reading

Epic’s New MetaHuman Creator Generates Digital Characters that Avoid the Uncanny Valley
Epic’s New MetaHuman Creator Generates Digital Characters that Avoid the Uncanny Valley

The company's new MetaHuman engine promises to deliver photorealistic digital characters in a snap, and you can check out a demo right now.

SpaceX, NASA Sign Agreement to Avoid Space Collisions
SpaceX, NASA Sign Agreement to Avoid Space Collisions

SpaceX now has more than 1,000 Starlink nodes around Earth, and NASA has announced an agreement that will ensure those satellites don't get in the way of any of its missions.

How USB Charging Works, or How to Avoid Blowing Up Your Phone
How USB Charging Works, or How to Avoid Blowing Up Your Phone

If you take a phone that came with a 900mA wall charger and plug it into a 2,100mA iPad charger, will it explode?

Twitter’s Internal Research Confirms Its Algorithm Favors Right-Wing Voices
Twitter’s Internal Research Confirms Its Algorithm Favors Right-Wing Voices

In recent years, conservative politicians and activists have railed against "cancel culture", claiming Twitter and other social media outlets are biased against them—hence, the existence of right-wing alternatives like Gab, Parler, and Trump's new Truth Social. Twitter has just published some internal research that suggests the opposite. According to the paper, its algorithm actually favors right-wing voices.