I hacked Fortnite! Actually it was a vulnerable cookie found on several domains owned by Epic Games that allowed me to hijack traffic of users of their websites, steal session tokens and of course, BeEF hook em'. I will describe my journey from creating a custom cookie fuzzing tool (Anomalous Cookie) to help identify vulnerable cookies, to creating a framework for 'Cookie Baking'. Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar (this includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more). I will also provide insight into the Bug Bounty process, how Google responded to my request for them to protect local cookies at rest, and how I created WHID-Injected Cookies! ;)

Jimi2x has 25+ years of experience in InfoSec (Blue+Red+Purple Teaming/Security Research) and also involved in the video game industry in the 80s where much hacking took place including fuzzing, bug discovery and finding hidden codes to many popular games. Jimi2x currently works for Coalfire Labs where he spends his time as a Senior Consultant.

Recorded at NolaCon 2019