Hacking Fortnite Accounts – Check Point Research
Download Hacking Fortnite Accounts – Check Point Research for FREE
January 16, 2019
Research by: Alon Boxiner, Eran Vaknin and Oded Vanunu
Played in a virtual world, players of ‘Fortnite’, the massively popular game from game developer Epic Games, are tasked with testing their endurance as they battle for tools and weapons that will keep them secure and the ‘last man standing’.
In the last few weeks, however, Check Point Research discovered multiple vulnerabilities in Epic Games’ online platform that could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter and background home conversations.
Created by Epic Games, an American video game developer, Fortnite is the game responsible for almost half of their $5bn-$8bn estimated value. With such a meteoric rise in fortune, it is no surprise then that the game had already attracted the attention from cyber criminals who set out to con unsuspecting players.
These scams previously took the role of deceiving players into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency, a commodity that can usually only be acquired through the official Fortnite store or by earning them in the game itself. These sites promote players to enter their game login credentials, as well as personal information like name, address and credit card details and are spread via social media campaigns that claim players can “earn easy cash” and “make quick money”.
Our team’s research, however, relied on a far more sophisticated and sinister method, that did not require the user to hand over any login details whatsoever. By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.
Check Point Research informed Epic Games of this vulnerability and a fix was responsibly deployed, ensuring their millions of players can continue their gameplay in a secure environment.
Demo Video of the Attack
Epic Games was found to have several old sub-domains, such as ‘https://ut2004stats.epicgames.com’. It is at this location that our story begins.
The sub-domain, ‘https://ut2004stats.epicgames.com’, led us to an interesting GET request with the following path: “/serverstats.php?server=[some server code]”.
What were to happen, we asked, if a ‘ sign were to be added to the request?
Well, the response was: “Server database error”!
This was certainly a good breakthrough as we realized this could well have the potential for an SQL Injection (at this stage, our assumption was that we are dealing with MYSQL database).
The research revealed that there was a WAF product, working with black lists rather than white lists that we would first need to deal with. As a result, one of the limitations placed on us was the inability to query several system tables (such as “information_schema” tables).
But what if we could use the System Variables (@@)? Indeed, it seemed someone had forgotten about their existence as it worked better than we could have ever wished for!
Following a search on Google, we then found that “37514065” is a valid server code. With this in mind we performed the following query to see what response we would get:
The response: 4014 bytes, meaning that this character does not appear in the query. A response with 12609 bytes, on the other hand, would have meant that the character does appear in the query result.
For example: if((SUBSTR(@@version,1,1)=CHAR(52)),37514065,0) returns with 4014 bytes:
Figure 2: The 4014 bytes response from the initial SQL query.
Of course, were the query ‘if((SUBSTR(@@version,1,1)=CHAR(53)),37514065,0)’ to respond with 12609 bytes then we would know that version 5 of MySQL version was being used.
Figure 4: The 12609 bytes response from our SQL query.
In this way, the data we managed to get would prove to be very helpful for the later stages of our research.
Cross-Site Scripting (XSS)
As we proceeded with our research, we found that the sub-domain ‘https://ut2004stats.epicgames.com’ contained a web page called “maps”. We guessed that this web page is used for presenting tournament statistics sorted by map name/id.
When you are on the lookout for XSS vulnerabilities, both reflected and/or stored ones, it is clear you should look for a reflection of your input in the page – and this is exactly what we found in the search component. Indeed, another feature of this page is the search bar that would act as the injection point for the XSS vulnerability.
This was our second great breakthrough as it became clear we had an XSS on “ut2004stats.epicgames.com”. Being a sub-domain of the main “epicgames.com” domain, this would again prove to be most important for the last stage of our attack.
oAuth Account take-over
Over the next few days we longingly searched for a possible strike point.
As it happened, from the very beginning of our research one team member had a strong feeling about the SSO mechanism. With no assumption or theory to be ruled out, we took a closer look at the SSO and indeed found that Epic Games had written a generic SSO implementation to support several login providers. It was time to dig inside this implementation.
It turns out that when a player logs in to his account by clicking on the “Sign In” button, Epic Games generates a URL containing a “redirectedUrl” parameter (as seen below in the bold text). This parameter is later used by “accounts.epicgames.com” in order to redirect the player to his account page.
Figure 5: The redirect link after a player logs in to his account.
However, we soon found that it was possible to manipulate the redirect URL and direct the user to any web page within the “*.epicgames.com” domain.
With the ability to control the “redirctedUrl” parameter, we could redirect the victim to ‘ut2004stats.epicgames.com’, site that contained the XSS payload: