“This takes advantage of Epic Games’ use of authentication tokens in conjunction with Single Sign-On (SSO) providers such as Facebook, Google, X-Box and others that are built in to Fortnite’s user login process”
Researchers at Tel Aviv-based cybersecurity company Check Point have identified numerous vulnerabilities within the online infrastructure of Epic Games, allowing them to obtain authentication tokens for user accounts in the game Fortnite.
Fortnite, created by video developer Epic Games, has experience two incredible years of growth. Played by over 75 million people last year, the game is estimated to have made over £1.5 billion in merchandise and in-game purchase over 2018 alone.
However, this popularity has made it a target for threat actors hoping to cash in on its success. Many users have had their accounts taken over and sold off for the valuable cosmetic items they have purchased in-game.
Path to Victory Royal
Check Point first discovered the web of vulnerabilities when they saw that Epic Games had several old unused sub-domains still active.
In an old sub-domain they discovered a ‘Get request’ that, once probed, showed that the system was vulnerable to a SQL injection.
The researcher team did find a web application firewall working on a blacklist setting that was targeting known attacks methods.
“As a result, one of the limitations placed on us was the inability to query several system tables (such as “information_schema” tables), But what if we could use the System Variables (@@)? Indeed, it seemed someone had forgotten about their existence as it worked better than we could have ever wished for!,” Check Point wrote in their report.
This provided them with a server code and data that they would use in the last stage of the attack, which implemented a Cross-site Scripting (XSS) vulnerability within Epic Games sub-domains.
Check Point discovered that Epic Games was using a generic single-sign-on implementation that upon a player clicking the account sign-in button created a URL containing a ‘redirectedURL’ parameter.
The research team saw that: “It was possible to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain. With the ability to control the “redirctedUrl” parameter, we could redirect the victim to ‘ut2004stats.epicgames.com’, site that contained the XSS payload.”
Check Point stated that one of the key issues was that Epic Games server did not perform any input validation on the ‘state’ parameter.
The only outside component of this attack is that it requires a user to click on a link. However because the attack method uses Epic’s sub-domains the link looks like it just redirects to a different part of their own site, which it does.
Given the volume of players that interact with Epic Games a phishing campaign using Epic Games own messaging system would be quite effective.
Check Point have informed Epic Games of the vulnerabilities which have been subsequently patched, but the work done by the researcher team shows just how easily it is to stack up system flaws and construct a plan of attack against an enterprises customers.