With nearly nearly 80 million players worldwide, it’s safe to say that Fortnite is a highly popular game. It was recently confirmed this week that the game had one particular flaw – a security vulnerability that cybercriminals could have exploited.

The flaw was found by researchers at Check Point Software Technologies Ltd. If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details.

That’s not where the damage could have stopped. Rather, the vulnerability would also have allowed for a massive invasion of privacy as an attacker could listen to in-game chatter as well as surrounding sounds and conversations within the victim’s home or other location of play.

Check Point’s researchers outlined the process in which an attacker could have potentially gained access to a user’s account through vulnerabilities discovered in Fortnite’s user login process. Due to three vulnerability flaws found in Epic Games’ web infrastructure, they were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox to steal the user’s access credentials and take over their account.

To fall victim to this attack, a player would have had to click on a crafted phishing link coming from an Epic Games domain, to make everything seem transparent, though sent by the attacker. Once clicked, the user’s Fortnite authentication token could be captured by the attacker without the user entering any login credentials. According to Check Point’s researchers, the potential vulnerability originated from flaws found in two of Epic Games’ sub-domains that were susceptible to a malicious redirect, allowing users’ legitimate authentication tokens to be intercepted by a hacker from the compromised sub-domain.

Admittedly, one could argue that there is a far cry from a vulnerability and an actual attack. However, it’s not infeasible that the vulnerability would have been exploited at some point had it not been discovered, as the game’s high popularity makes it a large target.

Indeed, Fortnite players have previously been targeted by scams that deceived them into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency. However, the new vulnerabilities could have been more insidious and far reaching, as they could have been exploited without relying on players’ login details having been compromised.

The good news is that vulnerabilities have since been patched, as Check Point has informed Epic Games of the flaws.

 “Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point. “Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches.  These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability,” he concluded.