A flaw in Epic Games Inc.’s hugely popular “Fortnite” put the accounts of millions of players at risk of malicious attack, researchers from Check Point Software Technologies Ltd. said in a report Wednesday.
The vulnerability in the authentication process allowed hackers to send a link to the player that, once clicked, gave access to the user account where attackers could buy virtual currency and purchase game equipment that could then be transferred to a separate account and resold. The hacker also could gain access to conversations held by the player and his or her friends, which could be used to exploit the account owner, often children under 18.
“We were made aware of the vulnerabilities and they were soon addressed,” an emailed statement from Epic Games said. “We encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others.”
It was unclear whether the vulnerability discovered by Check Point was ever exploited.
As of June, “Fortnite” had been played by 125 million people and was on track to generate $2 billion for the North Carolina game developer. “Fortnite” revolves around a cartoonish, last-character-standing battle in which players fight for weapons and resources. It’s free to play and available on multiple devices including mobile phones and video game consoles.
“Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast,” Check Point said of the discovered flaw. The company’s head of products vulnerability research, Oded Vanunu, said his 6- and 9-year-old children play “Fortnite,” as do millions of schoolchildren around the globe.
“Your kids are playing a game and people can listen to what they are doing,” Vanunu said. “The child thinks he is talking to a 12-year-old kid, but he is talking to adults who might say, ‘Send me a picture of that and I will give you this weapon.’ This is the craziness of this game.”