Epic fix security hole able to get into accounts from clicking a link
Oof that's a nasty hole
A now-fixed security hole in the account system of Fortnite devs Epic Games could let scoundrels log in as other folks and even buy things, just by getting them to click on a dodgy link. Unlike many phishing schemes, this worked by hijacking the user's authentication token - not even needing to trick them into entering their username and password. Epic say they've now fixed it but oof, that's a bad'un. On the bright side, hey kids, you now have a great excuse for why your dad's credit card bill shows someone spent £50 on virtuadances.
The exploit targeted users signing in through third-party accounts like Google, Facebook, PlayStation, or Xbox rather than signing up directly for an Epic account.
"For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them," explained Check Point Software, who brought it to public attention yesterday.
"To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker."
So the git would be able to log into your account, see your data, buy more V-Bucks on your card, see your contacts... bad things. And presumably it wasn't just limited to Fortnite, able to get at all your Epic account stuff?
"We were made aware of the vulnerabilities and they were soon addressed," Epic Games said in a statement to Gamasutra. "We thank Check Point for bringing this to our attention."
If you want to know the science bit, here it comes from Check Point, concentrate:
"A flaw was found in Epic Games login page, accounts.epicgames.com. As this domain had not been validated, it was susceptible to a malicious redirect. As a result, our team redirected traffic to another, though not in use, Epic Games sub-domain.
"It was on this sub-domain, also containing security flaws, that our research team was able to identify an XSS attack to load a JavaScript that would make a secondary request to the SSO provider, for example, Facebook or Google+, to resend the authentication token. The SSO provider would correctly resend the token back to the login page. However, this time due to the malicious redirect, the token would be sent back to the manipulated sub-domain where the attacker is able to collect the token via his injected JavaScript code."
Mm yes, just as I had suspected - almost exactly what I predicted when I first heard Epic had a security hole.