Cybersecurity researchers have shared details of vulnerabilities that could have affected any player of the hugely popular online battle game, Fortnite. If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details. The vulnerability would also have allowed for a massive invasion of privacy as an attacker could listen to in-game chatter as well as surrounding sounds and conversations within the victim’s home or other location of play.
Commenting on this, Sam Curry, chief security officer at Cybereason, said ‘Tens of millions of gamers play Fortnite regularly, and there have been many previously reported historic breaches of gaming platforms, so when you add everything up consumers are at risk. This isn’t likely to change anytime soon because as long as criminals can make money off the back of gamers, a lot personal information is likely to be continually stolen. It shouldn’t surprise anyone that consumers are oftentimes the weakest link in today’s cyber crime ecosystem and end up as pawns in a game of cyber chess, because they are by far the most vulnerable.
To minimise online gaming risks, consumers should never open emails from the vendors asking for personal information, a password update or other account information. And they should strengthen their passwords to minimise the risk of hackers cracking them. The days of having passwords such as ‘123456,’ ‘password’ or ‘cat’ should be long gone, but unfortunately that isn’t always the case.”
Commenting on this is also, Tim Mackey, senior technical evangelist at Synopsys said:
“This disclosure demonstrates some of the risks associated with implementations of single sign on (SSO) providers like Facebook, Google, Microsoft and Amazon. SSO attacks are on the rise and seek to capture the access token used to authenticate an end user. Access tokens authenticate end users without requiring them to enter a username and password. One benefit to an attacker of an SSO access token is that if an user changes their username or password, the token remains valid. Since end users need to take explicit action within the SSO provider to invalidate tokens, the value of a token to an attacker is higher than the value of a username and password. SSO implementations can be readily identified by the login convenience button presenting say a “Login using Facebook” button for use with Facebook as the SSO provider.
If a user wishes to invalidate an access token, they need to open the website of the provider (say Facebook), go to their account settings and look for an area related to “Applications and Websites”. In this area, you’ll see which applications you’ve granted access to your profile, and have the option to revoke access. Revoking access is what invalidates the token. Confirming the token was invalidated is as simple as going to the webpage or application and noting that you’ll need to login. If you login using the same provider (say Facebook), a new token will be generated.
In the case of Epic Games, successful harvesting of the SSO access token demonstrates how a single application vulnerability is rarely the cause of an account being compromised or a data breach. In the proof of concept, we see SQL Injection, Cross Site Scripting (XSS), and the bypass of a Web Application Firewall (WAF) were all part of the attack chain. SQL Injection and XSS are perennial items on the OWASP Top 10. While a WAF was present, it’s bypass clearly demonstrates how a WAF alone can’t protect an application without application specific knowledge. Importantly, that underlying application issues like SQL Injection and XSS weren’t resolved in code, but instead a WAF was employed as a primary defense mechanism should raise alarm bells within Epic Games. The rules, techniques and tools of a given cybersecurity attack are controlled by the attacker. If an attacker gains access to a network where the WAF isn’t used, but the application is accessible, then the underlying application vulnerabilities become part of the attackers toolbox. While Epic Games is actively encouraging its user base to adopt two factor authentication, 2FA isn’t a substitute for properly securing the underlying application.”
Now Commenting on the news is Paul Bischoff, privacy advocate with Comparitech:
“Attacks using stolen authentication tokens seem to be getting more popular, but in this case it looks like Epic was able to patch the vulnerability before any real harm was done. Authentication tokens are what allow us to log into accounts without having to type into our passwords every time. If a hacker steals your authentication token, they can easily hijack your account. Stolen security tokens were also used in the recent hack of 50 million Facebook accounts through the social network’s “View As” feature.
In this case, the victim must click on a malicious Epic Games login link, which takes them to an older Epic Games-owned website containing a vulnerability. Hackers can then use an attack called cross-site scripting (XSS) to steal the token. XSS is a fairly common type of attack.
Users should be wary of dodgy links in their email and on social media, which are the most common means of spreading phishing and malicious links that could be used to initiate this sort of attack. It seems Epic Games failed to secure an older website used to view scores for Unreal Tournament, an older and less popular game, where the authentication tokens could be stolen.”