Security firm Check Point Software, which announced its discovery of the vulnerability on Wednesday, said it had notified Fortnite’s developer, Epic Games, in November. Epic Games appears to have fixed the flaw in late December, said Oded Vanunu, Check Point’s head of products and vulnerability research.
Epic Games declined to comment on whether any user counts were compromised because of the security flaw. The company is based in North Carolina, where state laws require “businesses and state and local government to notify people when there is a security breach involving their personal identifying information.” The state’s laws define a security breach as the “unauthorized release of unencrypted or unredacted records or data containing personal information with corresponding names, such as a person’s first initial and last name.”
“We were made aware of the vulnerabilities and they were soon addressed,” an Epic Games spokesperson said in a statement. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
CheckPoint decided to probe Fortnite’s web infrastructure because of the game’s massive popularity and stories involving hackers allegedly circumventing Fortnite’s security methods, said Vanunu. In December, for instance, the BBC talked to roughly 20 hackers who claimed to have stolen the accounts of real-life Fortnite users in order to resell the accounts to others.
TheFortnite security flaw involves people accessing their Fortnite accounts using their login information for other services like Facebook, Sony’s PlayStation Network, and Microsoft’s Xbox Live. Although Check Point’s research highlighted Facebook, the company said the process likely applies to other companies that offer the so-called single sign-on feature.
When people use their Facebook accounts to log into Fortnite, their computers receive a security token that enables them to access their Fortnite account page after being redirected via a website link. However, the Check Point researchers noticed that they could tamper with that website link so that instead of pointing people to their account pages, people would be redirected to older Epic Games websites, or subdomains, that contained player statistics from other video games and online tournaments.
These older Epic Games sites also contained a security flaw that when exploited, could allow hackers to retrieve people’s security tokens that they received when they used Facebook to log into Fortnite. Hackers could then use the security tokens to access people’s accounts.