Fortnite is an excessively popular video game manufactured
by Epic Games. This is played online with other players. There are more than
80M users across the world. In this game, as with many others, the goal is to
stay alive and survive.
Issue
While the game is widely played, there should have been a
thorough security testing for this. It appears this was not the case, as a
security flaw provided a vulnerability for the Fortnite users. This allowed the
users to be recorded during play without their knowledge and access to other
sensitive data. The issue was discovered by CheckPoint in November 2018.
Operation
The attackers appear to have leveraged an insecure webpage
created in 2004, created by Epic Games. They sent phishing emails to Fortnite users
using this old website. The phishing emails indeed did appear to be from Epic.
The attackers made it very easy for the users, in that all the targets had to
do is click a link. This would allow the attackers access to the user’s
accounts. This did not require the user to login. This was done through the
tried and true XSS attack.
Effects
When exploited, this vulnerability allowed the attackers to:
a)
Take over the Fortnite accounts,
b)
Make unauthorized purchases with the user’s game
virtual currency,
c)
Eavesdrop on player’s chat, and record the
player’s chat.
This may have also exposed the user’s credit card data and
other personal information. Due to this, complaints were filed with the Better
Business Bureau. The users alleged Epic Games did not protect the user’s data.
Remediation
Epic Games took down the 2004 website which caused these
issues. The company also recommended the players not reuse passwords, use
strong passwords, and not share account information with others, or basic
security recommendations.
Lessons Learned
Our environment is not static. This changes all too often.
We need to monitor this frequently to check for issues and updates. The company
needs to know its web apps and endpoints, and scan these periodically.
Resources
Knoop, J. (2019, January 17). Epic patches fortnite security
hack that may have exposed more than 200 million players’ accounts. Retrieved
from https://finance.yahoo.com/news/epic-patches-fortnite-security-hack-210300634
Oliver, M. (2019, January 18) Fortnite security flaw exposed
80 million players to hacking risk. Retrieved from https://kslnewsradion.com/1896932
Silverstein, J. (2019, January 19). Fortnite security flaw
exposed millions of users to being hacked. Retrieved from https://www.cbsnews.com/news/fortnite-security-flaw-exposed-millions-of-users-to-being-hacked/
Tribune Media Wire. (2019, January 18). Fortnite security
flaw exposed 80 million accounts. Retrieved from https://wnep.com/2019/01/18/fortnite-security-flaw-exposed-80-million-accounts/
WGNWeb Desk. (2019, January 16). Fortnite security flaw exposed
80 million accounts. Retrieved from https://wentv.com/2019/01/16/fortnite-security-flaw-exposed-80-million-accounts/
No comments:
Post a Comment