A bug in EA Origin client exposes gamers' data

Auto-login URL feature was not IP-bound and allowed anyone access to accounts' settings panels.

ea.png
Electronic Arts

A bug in EA's Origin online gaming and digital distribution platform allows a malicious party to gain access to account data, a security researcher has discovered.

"I originally discovered the bug on October 1," a security researcher known online as Beard told ZDNet in an interview last week.

"The bug occurs when you use the EA Origin client but request to edit your account on EA.com," he said. "The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password."

Such auto-login URLs are very common and used by many desktop and web-based applications. But in most cases, the auto-login URLs are tied to the user's IP address or cookie files already registered in the user's name, meaning they can't be used by anyone except the user.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

But this was not the case with the EA Origin auto-login URL. Beard told ZDNet that this auto-login URL worked regardless of IP address or browser. The researcher shared a video of the bug in action with ZDNet last month, and also uploaded it on Twitter:

"If you're on an unsecured network or WiFi hotspot; like at a cafe or hotel, someone can easily grab these token auto-login URLs and basically log in as the end user who requested these token links," Beard said.

Furthermore, these auto-login URLs could also be collected by IoT malware/botnets that have infected home routers, allowing criminals to automate the mass-harvesting of EA account data.

The researcher says an attacker could use the auto-login URL to collect information from the user's EA settings panel, such as a player's real name, the last four digits of his credit card, the last digits of his phone number, order history, and more.

Some of this information may prove useless for online fraud, but if crooks manage to guess a user's security question, they could also hijack the EA account entirely, and use any stored payment methods to purchase games for the new account owner.

But Beard also warns that the vulnerability would be a treasure trove for attackers attending gaming conventions or competitions, where people are most likely to use unsecured WiFi networks and use the EA Origin client and its auto-login feature.

In the highly competitive world of online gaming, this vulnerability could lead to doxxing or the hijacking of accounts belonging to famous players or streamers.

"EA has been informed, and have stated they're working on an upcoming patch to fix this bug," Beard told ZDNet. An EA spokesperson confirmed that fixes were rolled out earlier this month and that the company had not seen evidence of any unauthorised users having accessed subscriber's data.

Article updated on November 20 with confirmation from EA that the issue had been fixed.

More security news:

Best Black Friday 2018 deals: