Security investigators were able to steal access tokens attacking an Epic Games subdomain
According to network security and ethical
hacking specialists from the International Institute of Cyber Security, a
recently discovered vulnerability in the account authentication system of Epic Games for the popular videogame Fortnite
left exposed the gamers’ accounts. According to reports, malicious users could
have stolen login tokens; the attackers only needed the victims to click on a
specially crafted link.
A cross-site scripting (XSS) attack, in
conjunction with an invalidated subdomain, enabled cybersecurity experts to
evade the protection measures implemented by the login control system used to
access Fortnite.
“Single Sign-On (SSO) systems may be useful,
but only while the platform accessed is not vulnerable”, as considered by network security experts. When properly implemented, user authentication passes into the
hands of a third party developer, which authorizes access to the platform via a
one-use token.
Researchers from a network security firm
managed to exploit the vulnerability to request the single token on a second
occasion and then redirect it to a compromised site, from where it could be
stolen. The researchers concluded that Epic Games used an invalidated domain
for their login page (accounts.epicgames.com), which could be redirected to
another site. After redirecting the token to the vulnerable site, experts were
able to steal it with a JavaScript code injection.
For the attack to succeed, the victim is
required to click on a specially crafted phishing link. When the victim
accesses Fortnite, the login page is redirected to the attacker’s website, where
the token will be stolen. This attack may not be the most elaborated one, but
attackers require certain technical expertise beyond those required to deploy
phishing campaigns or brute force attacks.
As an attack of average complexity, the
investigators do not rule out that the vulnerability has been exploited in the
wild, although this is hardly verifiable. On the other hand, Epic Games issued
a statement mentioning that the vulnerability was corrected in early December
2018, but omitted to mention whether there are any evidence that the bug has
been exploited at some point.
Fortnite has become incredibly popular, with
almost 80 million players a month, plus about 200 million players registered on
the platform.
