![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
- Joined
- Mar 3, 2018
- Messages
- 1,713
Security experts from Check Point Research claim they found a bug in Fortnite's login system that allowed potential attackers to hijack accounts. Unlike the thousands of Fortnite scams that already exist online, this hack allegedly didn't require entering any login credentials or financial info. According to the researchers' technical writeup, the exploit used existing authentication tokens tied to other accounts and a vulnerability related to old Epic Games domains. Once logged in, the attacker could buy V-Bucks, listen in on chat, and presumably mess with Fortnite accounts in other ways. Fortunately, CPR says that "a fix was responsibly deployed" after informing Epic Games.
Check out a video of the exploit here.
The code opens a window and makes an oAuth request to the SSO provider server (in our case, Facebook) with all user cookies and the crafted "state" parameter. Facebook then responds with a redirection to "account.epicgames.com" which contains the SSO token ("code" parameter) and the crafted "state" parameter that was previously affected by the attacker. As the user has already logged on with his Facebook account, the server "account.epicgames.com" makes a redirection to the URL that is found within the crafted "state" parameter. In our case, the redirection goes to "ut2004stats.epicgames.com" with the XSS payload and the Facebook user oAuth token. Finally, the token is then extracted from the request and sent to the attackers' server (for POC purposes we used "ngrok" server - 0aa62240.ngrok.io). The attacker now has the users' Facebook token and can make a login to the victims' account.
Check out a video of the exploit here.
The code opens a window and makes an oAuth request to the SSO provider server (in our case, Facebook) with all user cookies and the crafted "state" parameter. Facebook then responds with a redirection to "account.epicgames.com" which contains the SSO token ("code" parameter) and the crafted "state" parameter that was previously affected by the attacker. As the user has already logged on with his Facebook account, the server "account.epicgames.com" makes a redirection to the URL that is found within the crafted "state" parameter. In our case, the redirection goes to "ut2004stats.epicgames.com" with the XSS payload and the Facebook user oAuth token. Finally, the token is then extracted from the request and sent to the attackers' server (for POC purposes we used "ngrok" server - 0aa62240.ngrok.io). The attacker now has the users' Facebook token and can make a login to the victims' account.
