Checkpoint researchers found a bug to Fortnite Accounts Hacked‘, the account authentication process for the massively popular online battle game players accounts hacks to takeover. Hacker could have stolen login tokens by just duping the victim into clicking a WhatsApp and any social sharing link.

The sequence of an unvalidated subdomain and cross-site scripting (XSS) bug to load a JavaScript that would make allowed to bypass the protections implemented by the single sign-on (SSO) access control mechanism used for logging into Fortnite access account and most importantly an OAuth account to Fortnite Accounts Hacked.

According to the Checkpoint researchers, the cross-site scripting (XSS) bug and a malicious direct redirect issue on the Epic Games’ subdomains allowed attackers to hijack users’ authentication token simply by dumping them into clicking an especially web link.

Single Sign-On (SSO) shifts the authentication engagement to a trusted third party like (Google, Facebook, X-Box, PlayStation), which authorizes access to the resource with the access token. Fortnite Accounts Hacked

Fortnite Bug Hacker Takeover Your Gamers’ Accounts

The Fortnite user used an unvalidated domain for the login page accounts.epicgames.com, which could be redirected to another online location to hacked Accounts.

Epic Games’ request to their server, along with the attacker’s “crafted state” parameters received from the single sign-on (SSO)

CheckPoint has released a video showing the exact steps of the attack and how easy it would have been to trick a Fortnite user into clicking the wrong link. The original research is available Checkpoint