Check Point Finds Fortnite Login Vulnerability


Staff member
Mar 3, 2018
Security experts from Check Point Research claim they found a bug in Fortnite's login system that allowed potential attackers to hijack accounts. Unlike the thousands of Fortnite scams that already exist online, this hack allegedly didn't require entering any login credentials or financial info. According to the researchers' technical writeup, the exploit used existing authentication tokens tied to other accounts and a vulnerability related to old Epic Games domains. Once logged in, the attacker could buy V-Bucks, listen in on chat, and presumably mess with Fortnite accounts in other ways. Fortunately, CPR says that "a fix was responsibly deployed" after informing Epic Games.

Check out a video of the exploit here.

The code opens a window and makes an oAuth request to the SSO provider server (in our case, Facebook) with all user cookies and the crafted "state" parameter. Facebook then responds with a redirection to "" which contains the SSO token ("code" parameter) and the crafted "state" parameter that was previously affected by the attacker. As the user has already logged on with his Facebook account, the server "" makes a redirection to the URL that is found within the crafted "state" parameter. In our case, the redirection goes to "" with the XSS payload and the Facebook user oAuth token. Finally, the token is then extracted from the request and sent to the attackers' server (for POC purposes we used "ngrok" server - The attacker now has the users' Facebook token and can make a login to the victims' account.
More reason not to link your Failbook account to anything or better yet not have one at all...

I only have a FB account for logging into Spotify/Tidal. Need to start looking into a way to migrate to standalone accounts. I really don't want to start from scratch on those accounts :(
i am surprised that people want to link their very personal facebook accounts to anything

kinda like when pornhub asks you if you want to share on some social media platform.

i'd rather have to remember 200 passwords.