A bug in EA Origin client exposes gamers' data


A bug in EA's Origin online gaming and digital distribution platform allows a malicious party to gain access to account data, a security researcher has discovered.
Security
"I originally discovered the bug on October 1," a security researcher known online as Beard told ZDNet in an interview last week.
"The bug occurs when you use the EA Origin client but request to edit your account on EA.com," he said. "The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password."
Such auto-login URLs are very common and used by many desktop and web-based applications. But in most cases, the auto-login URLs are tied to the user's IP address or cookie files already registered in the user's name, meaning they can't be used by anyone except the user.
ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks
But this was not the case with the EA Origin auto-login URL. Beard told ZDNet that this auto-login URL worked regardless of IP address or browser. The researcher shared a video of the bug in action with ZDNet last month, and also uploaded it on Twitter:
"If you're on an unsecured network or WiFi hotspot; like at a cafe or hotel, someone can easily grab these token auto-login URLs and basically log in as the end user who requested these token links," Beard said.
Furthermore, these auto-login URLs could also be collected by IoT malware/botnets that have infected home routers, allowing criminals to automate the mass-harvesting of EA account data.
The researcher says an attacker could use the auto-login URL to collect information from the user's EA settings panel, such as a player's real name, the last four digits of his credit card, the last digits of his phone number, order history, and more.
Some of this information may prove useless for online fraud, but if crooks manage to guess a user's security question, they could also hijack the EA account entirely, and use any stored payment methods to purchase games for the new account owner.
But Beard also warns that the vulnerability would be a treasure trove for attackers attending gaming conventions or competitions, where people are most likely to use unsecured WiFi networks and use the EA Origin client and its auto-login feature.
In the highly competitive world of online gaming, this vulnerability could lead to doxxing or the hijacking of accounts belonging to famous players or streamers.
"EA has been informed, and have stated they're working on an upcoming patch to fix this bug," Beard told ZDNet. An EA spokesperson confirmed that fixes were rolled out earlier this month and that the company had not seen evidence of any unauthorised users having accessed subscriber's data.
Article updated on November 20 with confirmation from EA that the issue had been fixed.
Simple steps to erase your digital footprint
More security news:
- EA's Project Atlas wants your gaming to run on cloud computing and AI CNET
- Steam bug could have given you access to all the CD keys of any game
- Website geoblocking is not that widespread, study finds
- Popular Dark Web hosting provider got hacked, 6,500 sites down
- AWS rolls out new security feature to prevent accidental S3 data leaks
- Most ATMs can be hacked in under 20 minutes
- Google to pay JavaScript frameworks to implement performance-first code
- Companies change their Terms of Service to limit liability against hacks TechRepublic
Best Black Friday 2018 deals:
- Amazon Seven Days of Black Friday Deals: All-time lows on office devices
- Amazon Black Friday 2018 deals: See early sales on Echo, Fire HD
- Best Buy Black Friday 2018 deals: Deep discounts on Apple Mac, Microsoft Surface
- Target Black Friday 2018 deals: $250 iPad mini 4, $120 Chromebook
- Walmart Black Friday 2018 deals: $99 Chromebook, $89 Windows 2-in-1
- Dell Black Friday 2018 deals: $120 Inspiron laptop, $500 gaming desktop
- Newegg Black Friday 2018 deals: $50 off Moto G6, $70 off Nest thermostat
- Office Depot Black Friday 2018 deals: $300 off Lenovo Flex, $129 HP Chromebook
- eBay Black Friday 2018 deals: See early sales on Galaxy Watch, Chromecast
- Lenovo Black Friday 2018 deals: ThinkPad laptops and more
- Microsoft Store Black Friday 2018 deals: Ad showcases Surface, laptop deals
- Windows laptops Black Friday deals: Dell, HP, Lenovo
- Chromebook Black Friday 2018 deals: Dell, Google, HP
- Best tablet Black Friday deals: Apple iPad, Amazon Fire
- Black Friday 2018 iPhone deals: $400 iPhone X gift card, BOGO iPhone XR
- Black Friday 2018 smartphone deals: OnePlus 6T, LG G7