Cybersecurity researchers have discovered a major security flaw in the popular online video game Fortnite that may have let hackers gain access to player accounts and use their stored credit card information to buy digital goods and then resell them.
Security firm Check Point Software, which announced its discovery of the vulnerability on Wednesday, said it had notified Fortnite’s developer, Epic Games, in November. Epic Games appears to have fixed the flaw in late December, said Oded Vanunu, Check Point’s head of products and vulnerability research.
Epic Games declined to comment on whether any user counts were compromised because of the security flaw. The company is based in North Carolina, where state laws require “businesses and state and local government to notify people when there is a security breach involving their personal identifying information.” The state’s laws define a security breach as the “unauthorized release of unencrypted or unredacted records or data containing personal information with corresponding names, such as a person’s first initial and last name.”
“We were made aware of the vulnerabilities and they were soon addressed,” an Epic Games spokesperson said in a statement. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
Check Point decided to probe Fortnite’s web infrastructure because of the game’s massive popularity and stories involving hackers allegedly circumventing Fortnite’s security methods, said Vanunu. In December, for instance, the BBC talked to roughly 20 hackers who claimed to have stolen the accounts of real-life Fortnite users in order to resell the accounts to others.
The Fortnite security flaw involves people accessing their Fortnite accounts using their login information for other services like Facebook, Sony’s PlayStation Network, and Microsoft’s Xbox Live. Although Check Point’s research highlighted Facebook, the company said the process likely applies to other companies that offer the so-called single sign-on feature.
When people use their Facebook accounts to log into Fortnite, their computers receive a security token that enables them to access their Fortnite account page after being redirected via a website link. However, the Check Point researchers noticed that they could tamper with that website link so that instead of pointing people to their account pages, people would be redirected to older Epic Games websites, or subdomains, that contained player statistics from other video games and online tournaments.
Data Sheet, Fortune’s technology newsletter.
These older Epic Games sites also contained a security flaw that when exploited, could allow hackers to retrieve people’s security tokens that they received when they used Facebook to log into Fortnite. Hackers could then use the security tokens to access people’s accounts.
Check Point researchers said they could launch a phishing attempt—a fake message that looked like it came from Epic Games—that would trick people into clicking on the tampered link.
Vanunu explained that cybersecurity vulnerabilities like the one Check Point highlighted are becoming increasingly common as apps become more complex. Many modern apps, built on multiple software services and databases, can be connected to older company websites or IT infrastructure that may contain security flaws. The challenge for companies is ensuring that their newer apps don’t contain inadvertent connections to these older and forgotten websites, a challenge as apps continue to become more complex and interconnected with other corporate IT infrastructure.
“This is why we see so man big leaks of millions of records,” Vanunu said.