The cybersecurity company Check Point has discovered three new vulnerabilities in the videogame account register Fortnite that have exposed the personal data and credit cards of the players. Through these vulnerabilities, cyber attackers could take control of Fortnite user accounts, with the possibility of making purchases of game objects with the V-Buck virtual currency, as Check Point has warned in a statement. This problem also affects privacy, since the cybercriminal could listen to the conversations within Fortnite accessing the sound recorded by the users microphone during the game, as well as the personal information stored in the accounts.
These new vulnerabilities could have been exploited without the player entering any access data. For this, the web infrastructure of Epic Games and the authentication system based on "tokens" are used. The mechanisms of the videogame website, together with the Single Sign-On unified access systems (SSO) such as Facebook, Google and Xbox, have been used to steal the user's login credentials and get hold of the account of the victim if he clicks on a "phishing" link, according to Check Point. Once clicked, the user's Fortnite authentication "token" can be captured without the user having to enter any credentials. The vulnerability was caused by defects found in two of the Epic Games subdomains that were susceptible to a malicious redirect. The cybersecurity company has informed Epic Games, the developer of Fortnite, about the vulnerabilities of its video game, which adds about 80 million players globally. Currently, the problem has been solved, according to Check Point.