Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials. To fall victim to this attack, a player needs only to click on a crafted phishing link coming from a genuine Epic Games domain, which makes the link appear legitimate.
Due to three flaws found in Epic Games’ web infrastructure, researchers were able to manipulate the token-based authentication process used by Fortnite in conjunction with Single Sign-On (SSO) systems such as Facebook, Google, Xbox, and PlayStation to steal the user’s access credentials and take over their account. While Fortnite players had previously been targeted by scams that deceived them into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ currency, these new vulnerabilities could have been exploited without the player handing over any login details.Īttackers could have potentially gained access to a user’s account through vulnerabilities discovered in Fortnite’s user login process.