'Our team's research relied on a sophisticated and sinister method, that did not require the user to hand over any login details whatsoever. However, once clicked, the authentication token could be grabbed without users even signing in with their credentials. Malicious links could be crafted that appeared safe since the URLs seemed to come from Epic Games' domains. This oversight opened up the opportunity for phishing attacks. It started with Check Point finding two Epic subdomains that allowed redirects.
