A now-fixed safety gap within the account system of Fortnite devs Epic Games may let scoundrels log in as folks and even purchase issues, simply by getting them to click on on a dodgy hyperlink. Unlike many phishing schemes, this labored by hijacking the consumer’s authentication token – not even needing to trick them into getting into their username and password. Epic say they’ve now fastened it however oof, that’s a foul’un. On the intense aspect, hey youngsters, you now have a fantastic excuse for why your dad’s bank card invoice reveals somebody spent £50 on virtuadances.
The exploit focused customers signing in by means of third-party accounts like Google, Facebook, PlayStation, or Xbox fairly than signing up straight for an Epic account.
“For the attack to be successful, all a victim needs to do is click on the malicious phishing link the attacker sends them,” explained Check Point Software, who introduced it to public consideration yesterday.
“To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits. Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker.”
So the git would be capable of log into your account, see your information, purchase extra V-Bucks in your card, see your contacts… dangerous issues. And presumably it wasn’t simply restricted to Fortnite, capable of get at all of your Epic account stuff?
“We were made aware of the vulnerabilities and they were soon addressed,” Epic Games mentioned in a press release to Gamasutra. “We thank Check Point for bringing this to our attention.”
If you need to know the science bit, right here it comes from Check Point, focus:
“A flaw was present in Epic Games login web page, accounts.epicgames.com. As this area had not been validated, it was inclined to a malicious redirect. As a consequence, our workforce redirected site visitors to a different, although not in use, Epic Games sub-domain.
“It was on this sub-domain, additionally containing safety flaws, that our analysis workforce was capable of determine an XSS assault to load a JavaScript that might make a secondary request to the SSO supplier, for instance, Facebook or Google+, to resend the authentication token. The SSO supplier would appropriately resend the token again to the login web page. However, this time because of the malicious redirect, the token can be despatched again to the manipulated sub-domain the place the attacker is ready to gather the token by way of his injected JavaScript code.”
Mm sure, simply as I had suspected – virtually precisely what I predicted once I first heard Epic had a safety gap.
