Video game developer Epic Games has—until now—enjoyed a squeaky-clean run with the
online community. The developers are responsible for the Unreal Engine, a popular video game engine and video games such as Fortnite and Paragon. Actually, I’d say the biggest controversy until late last year was Epic shutting down the Paragon servers. Epic Games were doing well for themselves reputation-wise, but all good things must come to an end. This end came in the form of their launcher, which, while hosting a myriad of issues, seemed to have a major security flaw that allowed easy access to player’s accounts.
While security never was Epic’s strong point, the surge of popularity of Fortnite led to millions of accounts being created, therefore putting millions of people at risk of being hacked. But while many were setting up a war against Epic for this security vulnerability, not many knew what the vulnerability was. So, let’s take a look at what went wrong on Epic’s side.
(P.S. Epic Games upgraded their security these past few months, adding much-needed security features like two-factor authentication and upgraded password strength detection.)
A Flaw of Character
At the beginning of this year, cybersecurity company Check Point reported a severe flaw in
Epic’s login system; a flaw that you definitely don’t see every day.
Epic Games were hosting a site on their domain that could be manipulated to capture a user’s authentication token, the “object” that allows you to log in to your account. If a hacker has access to an authentication token unique to your account, they no longer have to log in, instead can simply log in with just the token.
From here, a hacker would have free reign with your account. This unique form of hacking
also ensures that a mere password change with a random password generator wasn’t as useful as it usually is since they the hacker could simply grab another authentication token the next time
you logged in.
How Hackers Could Exploit the Flaw
Have you ever gone through a YouTube comment section and noticed that some comments were
posing as the creator of the video, linking a random website promising “free gifts for their fans”?
And if you ended up clicking on the link, you get, like, 10 viruses? That’s how this flaw worked.
Fortnite is popular amongst all age demographics, but the game is cartoony and free has garnered it a sizable audience of younger players, AKA 13 and under. Being so young and naïve,
this demographic is susceptible to online scams, especially when the scam in question is offering free in-game currency to the game they spend hours on.
So, a hacker would post a link with a message promising free in-game currency or costumes (skins), the victim would click on the link and log in, and then the hacker would intercept the authentication token. It’s as simple as that.
Steps to Fix It
Epic quickly removed the subdomains from their host domain and started watching security with a vigilant eye. Furthermore, this incident—and the controversy that followed it—probably incited the security upgrades that Epic installed later in the year.
However, Epic’s security incidents have stained the company’s reputation, especially when it comes to their video game launcher. While the company has been avoiding security issues for a
while, some people have sworn off the company forever due to the incident. To me, that’s a bit extreme, but hey, security is security.
Perhaps the bigger “security” issue that Epic Games suffers from is their apparent links to China-based corporation Tencent. However, that’s a story for another day. For now, let’s be thankful that Epic Games finally installed two-factor authentication into their login system, even though that’s a feature that should be in every login system by now. For even better security, anyone and everyone by now should be using an Android VPN when gaming on their mobile.
Well, were it not the series of security attacks, gamers wouldn’t be as aware of online threats targeting their favorite games and the need to beef up their overall cyber defenses. There’s always a silver lining, we’ve just got to focus on the positives.