Checkpoint researchers found a bug to Fortnite Accounts Hacked‘, the account authentication process for the massively popular online battle game players accounts hacks to takeover. Hacker could have stolen login tokens by just duping the victim into clicking a WhatsApp and any social sharing link.
The sequence of an unvalidated subdomain and cross-site scripting (XSS) bug to load a JavaScript that would make allowed to bypass the protections implemented by the single sign-on (SSO) access control mechanism used for logging into Fortnite access account and most importantly an OAuth account to Fortnite Accounts Hacked.
According to the Checkpoint researchers, the cross-site scripting (XSS) bug and a malicious direct redirect issue on the Epic Games’ subdomains allowed attackers to hijack users’ authentication token simply by dumping them into clicking an especially web link.
Single Sign-On (SSO) shifts the authentication engagement to a trusted third party like (Google, Facebook, X-Box, PlayStation), which authorizes access to the resource with the access token. Fortnite Accounts Hacked
Fortnite Bug Hacker Takeover Your Gamers’ Accounts
The Fortnite user used an unvalidated domain for the login page accounts.epicgames.com, which could be redirected to another online location to hacked Accounts.
Epic Games’ request to their server, along with the attacker’s “crafted state” parameters received from the single sign-on (SSO)
CheckPoint has released a video showing the exact steps of the attack and how easy it would have been to trick a Fortnite user into clicking the wrong link. The original research is available Checkpoint
Fortnite popularity, with at least 80 million monthly players, while statistics point to nearly 250 million registered users.
Bypassing the WAF
The XSS payload was executed the WAF took effect and told us that the request was forbidden. Apparently, the only issue was the length of the script source URL, so we simply bypassed it by using a shortened URL.
Now that we had the XSS we could load our own JavaScript which, in turn, would be executed in the context of “ut2004stats.epicgames.com”. [Source:-checkpoint]
According to CheckPoint, researchers notified Epic Games’ developer of the Fortnite vulnerabilities which the company fixed in mid-December.
Fortnite developer advice players are also to enable two-factor authentication (2FA) which prompts users to enter a security code sent to their email when logging into the Fortnite game account.