Researchers at Tel Aviv-based cybersecurity company Check Point have identified numerous vulnerabilities within the online infrastructure of Epic Games, allowing them to obtain authentication tokens for user accounts in the game Fortnite.

Fortnite, created by video developer Epic Games, has experience two incredible years of growth. Played by over 75 million people last year, the game is estimated to have made over £1.5 billion in merchandise and in-game purchase over 2018 alone.

However, this popularity has made it a target for threat actors hoping to cash in on its success. Many users have had their accounts taken over and sold off for the valuable cosmetic items they have purchased in-game.

Check Point discovered vulnerabilities within Epic Games’ web infrastructure that allows attackers to conduct a phishing campaign that capitalises on a weak link in the login system. The flaw allows them to redirect a login attempt to an unused sub-domain containing a malicious JavaScript load.

The JavaScript code would then make a secondary request to a Single-Sign-On provider such as Google or Facebook for an authentication token. Using this token Check Point was able to fully access the users account.

Path to Victory Royal

Check Point first discovered the web of vulnerabilities when they saw that Epic Games had several old unused sub-domains still active.

In an old sub-domain they discovered a ‘Get request’ that, once probed, showed that the system was vulnerable to a SQL injection.

The researcher team did find a web application firewall working on a blacklist setting that was targeting known attacks methods.

“As a result, one of the limitations placed on us was the inability to query several system tables (such as “information_schema” tables), But what if we could use the System Variables (@@)? Indeed, it seemed someone had forgotten about their existence as it worked better than we could have ever wished for!,” Check Point wrote in their report.

This provided them with a server code and data that they would use in the last stage of the attack, which implemented a Cross-site Scripting (XSS) vulnerability within Epic Games sub-domains.

Fortnite Account Hack via JavaScript Payload

Check Point discovered that Epic Games was using a generic single-sign-on implementation that upon a player clicking the account sign-in button created a URL containing a ‘redirectedURL’ parameter.

The research team saw that: “It was possible to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain. With the ability to control the “redirctedUrl” parameter, we could redirect the victim to ‘ut2004stats.epicgames.com’, site that contained the XSS payload.”

The JavaScript payload would then make a request to one of the SSO third-party companies such as Google or Facebook who would promptly send back an authentication token that could be used to access the Fortnite account.

Fortnite Account Hack
JavaScript Code Used In Payload
Image Source: Check Point

Check Point stated that one of the key issues was that Epic Games server did not perform any input validation on the ‘state’ parameter.

The only outside component of this attack is that it requires a user to click on a link. However because the attack method uses Epic’s sub-domains the link looks like it just redirects to a different part of their own site, which it does.

Given the volume of players that interact with Epic Games a phishing campaign using Epic Games own messaging system would be quite effective.

Check Point have informed Epic Games of the vulnerabilities which have been subsequently patched, but the work done by the researcher team shows just how easily it is to stack up system flaws and construct a plan of attack against an enterprises customers.

See Also: Hacking Industrial Controllers is Child’s Play, Can be Done by Drone