EA fixes cloud flaw that could have left user accounts at risk

Tech security companies said a "chain of vulnerabilities", now fixed, could have left accounts vulnerable to attack.
Written by Danny Palmer, Senior Writer

Vulnerabilities, now fixed, in an online gaming service used by tens of millions of people to play some of the most popular video games around could have allowed attackers to gain access to personal information and take control of accounts.

The Electronic Arts (EA) Origin platform is home to a number of high-profile games developed by the company, including Apex Legends, Battlefield, FIFA, Madden, and more. Origin is where players buy and manage their games, as well as providing a portal where users can manage personal information and payment details for the account. 

But researchers from Israeli cybersecurity companies Check Point and CyberInt found it was possible for attackers to access the system through a "chain of vulnerabilities" which exploit EA Games' use of authentication tokens in conjunction with the oAuth Single Sign-On (SSO) and trust authentication mechanism that is built into the login process. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The security company said the vulnerability EA closed could have allowed a threat actor to hijack a player's session, resulting in account compromise and takeover. Check Point said the flaw could have allowed an attacker to gain access to a user's credit card information with the ability to fraudulently purchase in-game currency on behalf of the user.

The vulnerabilities found in EA's platform similarly did not require the user to hand over any login details whatsoever.    

"What we saw was a gap in a misconfigured cloud environment. So what we added was a subdomain which had officially been terminated by EA, but in the application level, the subdomain level was still there," Oded Vanunu, head of products vulnerability research for Check Point, told ZDNet.

"We could open an instance on Azure and call it the same name and the application still calls the domain. There was still Javascript from these domains all over which we identified and we used them to manipulate the threat," he added.

Once this domain was set up, researchers examined Origin's single sign-on mechanism and found it exchanged the user's login credentials with a unique key that authenticates it to the EA network without needing to re-enter the details.

By combining this with the way EA had implemented the trust mechanism, researchers found it was possible to redirect users to login via the hijacked subdomain. This could be achieved with a phishing attack, whereby a malicious attacker could use Origin's own communications platform or another chat application to trick the user into clicking the link.

By doing this, the attacker could directly access the account with the ability to access all the personal data in there – that can include a real name, date of birth and access to payment information. The account itself could even be put up for sale – and the original user locked out.

"Gaming goods are traded in official and unofficial marketplaces in the darknet, which makes attacks against gaming studios very lucrative," said Itay Yanovski, co-founder and SVP of strategy at CyberInt Technologies.

Check Point and CyberInt disclosed the vulnerability to EA and the company has deployed an update to fix the issue in order to protect users from attacks before it could be exploited.

"As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues,"  said Adrian Stone, senior director for game and platform security at Electronic Arts.

SEE: 10 tips for new cybersecurity pros (free PDF)

To help protect accounts from takeover, it's recommended that users enable two-factor authentication and to be careful of unsolicited messages asking you to click a link.

The technical analysis of the vulnerability also recommends that organisations that operate customer-facing online portals – especially those in the cloud – are continually reassessed for vulnerabilities and hygiene, as attackers will repeatedly try to find new means of breaching the perimeter.

"With all their transparency and ease of use, there's still some huge gaps in controlling your entire application or infrastructure on cloud servers," said Vanunu.

"This attack vector will dominate in the coming years – because this is the gate for cybercriminals to enter to manipulate APIs, to take accounts and to continue lateral movement," he added.


Editorial standards