The massively popular battle royale game Fortnite was discovered to have a security vulnerability that allowed hackers to access user accounts via a suspicious link. Epic Games was notified of this in November 2018, and the bug was fixed, according to Check Point Research.
Epic Games’ Single Sign-On implementation leads to a redirect URL whenever a player signs in using Facebook, Google, PlayStation Network, Xbox Live or Nintendo Switch Online. Hackers can exploit the redirect URL and gleam login details from a victim. From that point, all the hacker needs to do is to convince a victim to click on a suspicious link.
And since only one login is allowed at a time, this means that the original account owners are locked out for as long as the hackers hang on to the compromised account. Hackers can then use the hacked accounts to buy V-Bucks, and then gift it to their own accounts or resell them elsewhere.
In a statement to The Verge, Epic Games said that it was made aware of the vulnerabilities, and that it had addressed the issue.
“We thanks Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others.”