Security exploit left your Fortnite account open to hackers

While most of the gaming world watched Ninja become the biggest name in online gaming while playing Fortnite, the game’s publisher was hard at work closing a security vulnerability that could’ve compromised player’s account information.

The exploit was unveiled today by security researchers at Check Point Software Technologies, which released a video showing how hackers could’ve used security tokens (you know, those things that got Facebook in trouble a few months ago) to get around login pages. 

According to the researchers, the security vulnerability was first discovered back in November of last year and, thanks to some quick work on the part of Epic Games (Fortnite’s publisher), has officially been closed since late December. 

Thankfully, neither the researchers nor Epic Games have confirmed any cases in which the exploit was used - but it seems like it could’ve been an easy way for hackers to buy in-game content using players’ credit card information and allowed them to listen to your in-game chat. 

Security tokens strike again 

Without diving too deep down the security rabbit hole, the way the exploit worked was that hackers would send a phishing link to an unsecured URL on Epic Games’ website - ironically, a stats page for Unreal Tournament 2004… which was basically the Fortnite of its day minus all the streamers and sweet dance moves.

That page was open to cross-scripting attacks that allowed Check Point to inject some malicious code, redirecting incoming traffic - and any security tokens sent along with it - from the publisher’s servers to Check Point’s.

Once the phishing link was clicked by the victim, the hacker would be able to get a security token which they could then use to login to Fortnite. Once in, if the victim had a credit card on file that could be used to buy in-game items or listen in to their friend’s conversations.

Thankfully, however, there are no reported incidents where hackers used the exploit to steal login tokens to Fortnite. Facebook on the other hand, which just last year had hackers steal security tokens for 30 million of its users, wasn’t so lucky. 

According to the researchers, because all the info was routed through an Epic Games website, it's unlikely that anti-phishing software would've caught the bug... so that's comforting. 

Thankfully, for now, your account info is safe and sound. That being said, if your friend asks you to check out their stats from a 15-year-old video game, you should err on the safe side and not click the link.

Nick Pino

Nick Pino is Managing Editor, TV and AV for TechRadar's sister site, Tom's Guide. Previously, he was the Senior Editor of Home Entertainment at TechRadar, covering TVs, headphones, speakers, video games, VR and streaming devices. He's also written for GamesRadar+, Official Xbox Magazine, PC Gamer and other outlets over the last decade, and he has a degree in computer science he's not using if anyone wants it.