A flaw in Epic Games’s Fortnite opened the accounts of millions of users to the risk of a malicious attack, researchers from Check Point Software Technologies said in a report Wednesday.
The vulnerability in the authentication process allowed hackers to send a link to the player that, once clicked, gave access to user accounts to buy virtual currency and purchase game equipment that would then be transferred to a separate account and resold. The hacker also had access to conversations held by the player and his friends, which could be used to exploit the account owner, often children under 18.
Epic Games recently fixed the flaw, the Israeli cyber-security company said. Epic Games could not be immediately reached for comment but has a patch that offered new weapons and bug fixes detailed on its site. It is unclear whether the vulnerability was ever exploited.
“Needless to say, that along with this massive invasion of privacy, the financial risks and potential for fraud is vast,” Check Point said. The company’s head of products vulnerability research, Oded Vanunu, said his six- and nine-year-old children play Fortnite, as do millions of school children around the globe.
“Your kids are playing a game and people can listen to what they are doing,” said Vanunu. “The child thinks he is talking to a 12-year-old kid, but he is talking to adults who might say ‘send me a picture of that and I will give you this weapon. This is the craziness of this game.”
As of June, Fortnite had been played by 125 million people, and was on track to generate $2 billion (roughly Rs. 14,000 crores) for Epic Games. The game revolves around a cartoonish, last-character-standing battle where players fight for weapons and resources. It’s free to play and available on multiple devices from mobile phones to video-game consoles.
Developer Epic makes money from Fortnite by charging players for decorative items like costumes and props. In October, Epic raised $1.25 billion from an investor group that included KKR & Co., Vulcan Capital and Kleiner Perkins in a deal that valued the closely held company at $15 billion.
© 2019 Bloomberg LP