Check Point Research said it was able to exploit a flaw on the login page of Fortnite maker Epic Games’ website, which enabled it to steal the security access tokens used to identify and log in users. This enabled hackers to gain access to an account without requiring a password. Epic Games confirmed Check Point had alerted it to the flaw and that it had been fixed.
Check Point said all that was required for the attack to be successful was for a victim to click on a malicious link sent to them by hackers.
“To increase the likelihood of a potential victim clicking on this link, for example, it could be sent with an enticement promising free game credits,” Check Point said.
“Once clicked, with no need even for the user to enter any login credentials, their Fortnite authentication token would immediately be captured by the attacker.”
The firm said attackers could view any data stored on an account as well as buy in-game currency at the user’s expense.
In a statement, the company said: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention.
“As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others.”
Fortnite is one of biggest games in the world, having reached 200 million registered players worldwide, and is hugely popular among younger gamers because it is free to play and available across a wide spectrum of mobile devices and games consoles.
High-profile fans of the game include rapper Drake and England footballer Dele Alli.