From “Gears of War” to “Call of Duty,” online gaming can bring people from all over the world together for some mostly harmless warmongering. And these days, the multiplayer gaming world revolves, first and foremost, around “Fortnite.”
But this remarkably popular game made headlines for the wrong reasons lately. The public revelation of legions of “Fortnite” lookalike apps in the Google Play store revealed just how large a target the game’s popularity has painted on its users.
With this large a user base, it was only a matter of time before something more serious happened. Or, in this case, nearly happened. So what’s the story with “Fortnite” right now, and what does it mean about our security when we log into our favorite videogame servers?
What’s the Problem, and Who Does It Affect?
At the time of the breach, “Fortnite” boasted a player base of around 200 million gamers. With that much potential personal information up for grabs, it probably wasn’t a huge shock to IT security firm Check Point when they discovered a vulnerability in the “Fortnite” code that could allow outside actors to commandeer user accounts.
Check Point says they brought their concerns to the attention of Epic Games, creators of “Fortnite,” in November 2018. Shortly after that, the developer issued patches to fix the exploits. As of this writing, these patches are still working — but there’s no evidence the personnel at Check Point were the first ones to discover the issue.
So what was the problem? What was the specific source of danger? It went something like this:
- The Epic Games single sign-on service allows “Fornite” players to log into multiple web properties simultaneously, without inputting numerous sets of credentials.
- Single sign-on (SSO) is a way for companies to essentially “outsource” some of the effort and technology required to verify user identities. It’s akin to using Facebook to log into a third-party mobile app, such as Tinder.
- “Fortnite” login options include Facebook, Google, Xbox, PlayStation and Nintendo accounts, which means if there’s an error in an SSO service, these and other accounts connected to “Fortnite” and Epic Games could become compromised as well.
The vulnerability combined two flaws: one in the redirect process during login — during which legitimate Epic Games URLs can get tampered with — and one involving database queries. While logging in, players get assigned a token that authenticates their identity. Together, these two flaws would have allowed cybercriminals to steal this token and fully spoof the login service into believing they are the account owner.
But the process of actually deploying these malicious, token-stealing URLs is perhaps the most eye-opening part of this story. All the cybercriminals had to do was use a URL shortener to make their fake link look more official, then spread it across social media and online forums.
Whenever a logged-in “Fortnite” player clicks one of these links, their login token immediately becomes vulnerable. After that happens, a cybercriminal can access any linked credit cards used for in-game purchases. Connected accounts, including Facebook, are wide open as well.
It’s a modern spin on a timeless concept: getting a person to do something based on the belief that they may benefit somehow. It isn’t so different from the lottery scams that turn thousands of people into victims each year — though the young ages of the potential targets in the “Fortnite” vulnerability make this feel like a slightly different class of crime.
The Implications for Online Gaming
Although developers at Epic Games have since patched the flaw, the discovery of this vulnerability should have a long-term influence on the future of security as it applies to online gaming. This situation was a perfect storm, as it combined run-of-the-mill security bugs with the credulity of the average internet user, who is only too prone to clicking suspect links without thinking twice.
The story asks some tough questions about using SSO across web properties. Each of us receives regular reminders not to reuse passwords. But SSO functions like a master key for multiple internet accounts, which means it’s not that much different.
For any video games and other services which cater predominantly to a younger crowd, the cybersecurity benefits of deploying individual accounts — each with a unique, strong password — for each service we use probably become even more critical.
It doesn’t mean any one of those services is impervious to hacks, but it does at least ensure our children aren’t building houses of cards online using their email addresses, social media accounts and their parents’ credit card numbers.
You might’ve heard Facebook had troubles of its own along these lines lately — and that story too revealed the perils of choosing convenience over robust security.
If single sign-on is an “internet-wide failure,” as some have suggested, it means we need to rethink how we protect our digital communities. Any group of human beings 200 million strong is just too big for this kind of failure.