Epic's Fortnite fail: Ancient UT2004 server used for login-stealing proof-of-concept

Crafty infosec bods exploited XSS vulns on dusty corners of Epic Games’ web infrastructure to steal Fortnite gamers’ login tokens and compromise their accounts – using a genuine Epic Games URL to phish their marks.

Infosec biz Check Point discovered the XSS vuln, which, when combined with a login redirect attack, had the potential to let a mischief-maker gain access to user accounts without having to trick targets into handing over usernames and passwords.

Check Point’s proof-of-concept even used a completely genuine *.epicgames.com URL as a phishing vector.

Researchers discovered that dusty corners of Epic’s web infrastructure were vulnerable to a combination of the XSS vuln and a SQL injection attack, allowing them to compromise Epic’s social media account single sign-on implementation.

They did all of this by exploiting an old Unreal Tournament 2004 server.

How?!

Epic’s online login process for Fortnite includes a URL string with the parameter “redirectedUrl”, bouncing the user around a couple of times before settling on account.epicgames.com. Check Point researchers found that they could successfully change that initial redirect URL to point to anything that included *.epicgames.com.

This was where the vulnerable UT2004 subdomain came in. The old stats site was vulnerable to a SQL injection attack, Check Point found, which allowed the miscreants to plant an XSS payload on the server.

Older readers will remember the classic Unreal Tournament line of PC-based first-person shoot-em-ups. For excellent reasons that include allowing upper-bracket millennials to relive their misspent youths, Epic – publisher of Unreal as well as Fortnite – kept some of the old UT2004 infrastructure online, including the multiplayer game stats server.

Unfortunately for Epic, Check Point discovered that the since-patched server (which is no longer publicly accessible) would execute certain SQL queries, though some locking-down had been done by Epic. Check Point planted its Javascript XSS payload on ut2004stats.epicgames.com, having written it to include three encoded JSON keys: “redirectUrl”, “client_id” and “prodectName”.

XSS + Javascript payload = bad news

Epic uses multiple SSO providers to let eager gamers log on with the social media account of their choice, including Facebook, PlayStationNetwork/PSN, Xbox Live, Nintendo and even Google+. The Javascript payload “could then make a request to any SSO provider”, as Check Point said, though it only tested Facebook.

Epic’s implementation of SSO was provider-agnostic; any of the named vendors would respond to a valid token request. One of the parameters in that request is named “state”. By rewriting one of the keys in the state parameter to point at their compromised ut2004stats.epicgames.com server, Check Point’s researchers could capture the generated SSO token and send that to Epic’s (legitimate) server to finish the login authentication process.

“In response, Epic Games’ server generates a response with no input validation and redirects the user to "ut2004stats.epicgames.com" with the XSS payload and the SSO token,” said Check Point in its writeup of the exploit.

From that point, it was straightforward to extract the token from the request and send it to an attack-controlled server for later exploitation.

As reported at great length on other news websites, the implications of this are that user accounts could be stolen by socially engineering users to click on a *.epicgames.com URL that would have passed muster as a genuine Epic Games-controlled site. All the attacker would have to do is hope the user logged in using a set of OAuth SSO creds.

Given that Fortnite is very popular amongst kids, that kind of social engineering would probably not be difficult – pinging a URL around via Fortnite in-game text chat promising free game credits (V-Bucks) is one method Check Point suggested.

Once in control of a compromised account, attackers could then read a user’s registered data from the account settings page, impersonate the user, start video chats with other gamers, and so on.

Epic has patched the vulns, according to Check Point, which disclosed them to the game publisher before going public. ®