Security

Epic's Fortnite fail: Ancient UT2004 server used for login-stealing proof-of-concept

A tale of XSS, SQL injection and OAuth implementation

18 Got Tips?

Crafty infosec bods exploited XSS vulns on dusty corners of Epic Games’ web infrastructure to steal Fortnite gamers’ login tokens and compromise their accounts – using a genuine Epic Games URL to phish their marks.

Infosec biz Check Point discovered the XSS vuln, which, when combined with a login redirect attack, had the potential to let a mischief-maker gain access to user accounts without having to trick targets into handing over usernames and passwords.

Check Point’s proof-of-concept even used a completely genuine *.epicgames.com URL as a phishing vector.

Researchers discovered that dusty corners of Epic’s web infrastructure were vulnerable to a combination of the XSS vuln and a SQL injection attack, allowing them to compromise Epic’s social media account single sign-on implementation.

They did all of this by exploiting an old Unreal Tournament 2004 server.

How?!

Epic’s online login process for Fortnite includes a URL string with the parameter “redirectedUrl”, bouncing the user around a couple of times before settling on account.epicgames.com. Check Point researchers found that they could successfully change that initial redirect URL to point to anything that included *.epicgames.com.

This was where the vulnerable UT2004 subdomain came in. The old stats site was vulnerable to a SQL injection attack, Check Point found, which allowed the miscreants to plant an XSS payload on the server.

Older readers will remember the classic Unreal Tournament line of PC-based first-person shoot-em-ups. For excellent reasons that include allowing upper-bracket millennials to relive their misspent youths, Epic – publisher of Unreal as well as Fortnite – kept some of the old UT2004 infrastructure online, including the multiplayer game stats server.

Unfortunately for Epic, Check Point discovered that the since-patched server (which is no longer publicly accessible) would execute certain SQL queries, though some locking-down had been done by Epic. Check Point planted its Javascript XSS payload on ut2004stats.epicgames.com, having written it to include three encoded JSON keys: “redirectUrl”, “client_id” and “prodectName”.

XSS + Javascript payload = bad news

Epic uses multiple SSO providers to let eager gamers log on with the social media account of their choice, including Facebook, PlayStationNetwork/PSN, Xbox Live, Nintendo and even Google+. The Javascript payload “could then make a request to any SSO provider”, as Check Point said, though it only tested Facebook.

Epic’s implementation of SSO was provider-agnostic; any of the named vendors would respond to a valid token request. One of the parameters in that request is named “state”. By rewriting one of the keys in the state parameter to point at their compromised ut2004stats.epicgames.com server, Check Point’s researchers could capture the generated SSO token and send that to Epic’s (legitimate) server to finish the login authentication process.

“In response, Epic Games’ server generates a response with no input validation and redirects the user to "ut2004stats.epicgames.com" with the XSS payload and the SSO token,” said Check Point in its writeup of the exploit.

From that point, it was straightforward to extract the token from the request and send it to an attack-controlled server for later exploitation.

As reported at great length on other news websites, the implications of this are that user accounts could be stolen by socially engineering users to click on a *.epicgames.com URL that would have passed muster as a genuine Epic Games-controlled site. All the attacker would have to do is hope the user logged in using a set of OAuth SSO creds.

Given that Fortnite is very popular amongst kids, that kind of social engineering would probably not be difficult – pinging a URL around via Fortnite in-game text chat promising free game credits (V-Bucks) is one method Check Point suggested.

Once in control of a compromised account, attackers could then read a user’s registered data from the account settings page, impersonate the user, start video chats with other gamers, and so on.

Epic has patched the vulns, according to Check Point, which disclosed them to the game publisher before going public. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

Keep Reading

It's 2019 and SQL Server can be pwned by an SQL query, DHCP failover server failed by a packet, Edge, IE by webpages...

Patch Tuesday Meanwhile, Adobe gives Flash the month off. SAP emits fixes, though

Just say the 'magic password': Boffins turn up potential backdoor in SQL Server 2012, 2014

Admin rights needed to fire up the malware and – hey presto!

I'm the queen of Gibraltar and will never get a traffic ticket... just two of the things anyone could have written into country's laws thanks to unsanitised SQL input vuln

Exclusive Run sqlmap, edit online statutes, gain immunity for life?

A code injection to stop code injection could solve serverless security

PureSec tries to make serverless less defenseless

SQL injection vuln found at Panama Papers firm Mossack Fonseca

Grey hat hacker continues probing scandal-hit lawyers

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them

Switchzilla says remote networking gear has a grab-bag of holes

Have I Been Pwned breach report email pwned entire firm's helldesk ticket system

That's one way of making people check for updates

Google sticks anti-SQL injection vaccine into MySQL MariaDB fork

Encryption tables to trip up rogue data

Drupal SQL injection nasty leaves sites 'wide open' to attack

Usual drill - install the patch tout de suite

New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc

Data Center Network Manager bugapalooza with three must-fix flaws

Tech Resources

Has Recent Rapid Cloud Adoption Increased Your Threat Risk?

It’s time to embrace cloud capabilities that can help businesses address speed to market through agility, lower TCO and an increased security posture.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Migration Isn't Archiving

Make sure your solutions have the right capabilities to save you the most costs and headaches.