Epic Games patched a bug that could have allowed hackers to break into millions of Fortnite accounts and steal virtual currency or resell virtual goods. The vulnerability is tied to an insecure Fortnite application program interface (API) used by players to log into their accounts using third-party credentials or tokens.

Researchers at Check Point, on Wednesday, said the vulnerability is tied to the way the single-sign-on (SSO) works between PlayStationNetwork, Xbox Live, Nintendo, Facebook and Google and the Epic Games server. An attacker could create a malicious link using a legitimate Epic Games sub-domain to trigger the attack.

Check Point notified Epic Games in November of the vulnerability. The company only acknowledged receipt of the bug notification and patched the vulnerability at the end of December, according to researchers.

The vulnerability, researchers wrote, “could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter and background home conversations.”

The hack links two vulnerabilities. One is a cross-site scripting vulnerability found in an Epic Games sub-domain (ut2004stats.epicgames.com) used for a search bar for displaying game stats. From there, researchers were able to launch a second-stage attack – an OAuth Account take-over using the SSO related tokens.

“We took a closer look at the SSO and indeed found that Epic Games had written a generic SSO implementation to support several login providers,” wrote researchers. “It turns out that when a player logs in to his account by clicking on the ‘Sign In’ button, Epic Games generates a URL containing a ‘redirectedUrl’ parameter.”

Check Point redirected an unsuspecting user to the vulnerable subdomain (ut2004stats.epicgames.com) that contained a c ross-site scripting (XSS) payload, which steals the user’s authentication code.

“The JavaScript payload contains a crafted ‘state’ parameter. The ‘state’ parameter value contained a Base64 encoded JSON and the JSON contained three keys, ‘redirectUrl’, ‘client_id’ and ‘prodectName’. The ‘redirectedUrl’ parameter is used for redirection as the SSO login completes,” Check Point wrote.

The hack allows malicious actors to collect the SSO tokens of users who click on the specially crafted link and then opens access a victim’s Fortnite account.

Attractive Target

Fortnite, with an estimated 80 million users, is an attractive target for criminals. Check Point said a lucrative black market exists for criminals to sell Fornite virtual currency, accounts, player data and virtual items, outfits and weapons.

In an investigation launched by The Independent and published Tuesday, it revealed how criminals are using Fortnite to launder money through its in-game currency.

“Stolen credit card details are being used to purchase V-bucks – the virtual currency used to buy items in the game – from the official Fortnite store. By selling V-bucks at a discounted rate to players, the criminals are effectively able to “clean” the money,” wrote Anthony Cuthbertson, reporter with The Independent.

Fortnite’s security woes extend beyond that, including in August of last year, when Epic Games patched a critical man-in-the-disk (MiTD) flaw for the Android version of the wildly popular game.