Checkpoint Research Details Flaw in Fortnite SSO

The Checkpoint blog reveals a great breakdown of a flaw in the SSO infrastructure used by the game Fortnite. SSO and other federated authentication platforms can be a double-edged sword. Developing any authentication system is very hard, web-based authentication especially so. You have competing requirements for interoperability and security with little control over the software extensions a user may elect to use or install on top of their browser. Using an authentication mechanism can offload much of this complexity to widely used services provided by companies who have a great deal more resources to throw at the problem.

What I feel this highlights is that there is a false sense of security in utilizing SSO mechanisms to authenticate users. It’s true that Google and Facebook are able to spend more time and energy securing their authentication platform than a smaller company, but the basics of authentication are still in play. The tokens provided by these services are as sensitive as a password, the only difference is that they expire more quickly. There is still important work needed to secure the infrastructure that consumes them. Supporting two-factor authentication from within your application can improve this, but presents its own challenges and costs. My takeaway is that security is hard, and good choices can still have unforeseen consequences. Layered approaches to securing your users – from the endpoint to the edge and out to their mobile devices – provide multiple opportunities to catch these types of attacks, but at the end of the day, user education is far and away the most effective avenue. An endpoint agent may be able to catch a click on a malicious link, and a firewall or an IPS may be able to identify malicious javascript, but a user who knows that unexpected links from unknown sources may be unsafe will be protected even on devices you don’t control.

Stephen Crim