The online gaming space has witnessed a spike ever since two popular battle royale games, PlayerUnknown's Battleground (PUBG) and Fortnite, have made their way to the mobile platform. While both games are garnering tremendous success globally, there are some concerns related to addiction that have added bad press to these games. But Fortnite found itself in hot waters as it put the privacy of its 80 million players at risk.
Researchers at Check Point, a cybersecurity research firm, discovered serious vulnerabilities in Fortnite that could have granted untethered access to 80 million players' accounts, personal information and payment card details. The growing popularity of the game, which contributes half of Epic Games' $5-$8 billion estimated value, already makes it a hot target for hackers.
Check Point researchers found a serious vulnerability in Epic Games' sub-domains, which could have easily granted access to user's account without handing over the login details on a phishing website. All that a player needs to do is click on a link sent to them by the hacker to grant access to their accounts. Since the crafted phishing link would be carrying an Epic Games domain, it would make it hard for unsuspecting players to doubt its legitimacy.
The researchers found three vulnerabilities in Epic Games' web infrastructure, which allowed them to demonstrate an attack to completely take over a Fortnite account. With it, hackers could steal user's access credentials, payment details linked to the account to purchase V-Buck in-game virtual currency, listen to in-game chatter and conversations in the victim's home and such.
The researchers quickly notified the Epic Games team of the vulnerabilities and they've now been fixed, which should come as a relief to millions of players. But this could have easily gone awry if the weaknesses were exploited by hackers, which is why Check Point and Epic Games advise all users to "remain vigilant whenever exchanging information digitally and to practice safe cyber habits when engaging with others online."
It should be a common practice for anyone connected to the internet, be it for gaming or browsing, to question the legitimacy of links seen on user forums and websites. Most of the time, phishing websites offer rewards, either in the form of in-game currency or in other ways depending on where the hackers are targeting their victims.
"These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability," Oded Vanunu, head of products vulnerability research for Check Point, said in a statement.