Invasion of privacy risk to children playing Fortnite
| Scammers use multiplayer Battle Royale-style game to trick young players into exposing parents’ bank details.
Children playing Fortnite were exposed to a potential “massive invasion of privacy” thanks to an oversight in the game’s security, researchers have revealed.
The popular shooting game enjoyed by more than 80 million people around the world left users vulnerable to a flaw that if exploited, allowed hackers to steal virtual currency and read private conversations online. The bug was fixed in mid-December, according to researchers who shared their findings with Fortnite’s developer, Epic Games.
To take control, the researchers sent a message to their victim over social media including a malicious link. Once clicked, the user’s Fortnite authentication token – code that confirms a user is logged in – could be captured by the attacker without the user entering their username or password.
Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,
said Oded Vanunu, head of products vulnerability research for Check Point, who found they were able to access target accounts.
It comes as the police’s fraud arm warned that scammers are using the multiplayer Battle Royale-style game to trick young players into handing over their parents’ bank details. Criminals are increasingly targeting children on Facebook, Instagram and YouTube with adverts claiming to offer free “V-bucks”, a currency used to buy extras like character outfits.
After clicking the link, victims can be asked questions about their account, which the perpetrator uses to log in, and steal credit or debit card details that are stored there.
Fortnite fever has gripped the nation since it launched in July 2017, with parents growing concerned that their children have become “addicted” to the multiplayer title.
Users could protect themselves in future using by turning on two-factor authentication which prompts the player to enter a security code sent to their email address upon logging in.
Source: The Telegraph