EA ignored domain vulnerabilities for months despite warnings and breaches

The company has faced criticism for a massive breach earlier this month but still left multiple domains vulnerable to takeover.

Gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry after ignoring warnings from cybersecurity researchers in December 2020 that multiple vulnerabilities left the company severely exposed to hackers. 

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

Officials from Israeli cybersecurity firm Cyberpion approached EA late last year to inform them of multiple domains that could be subject to takeovers as well as misconfigured and potentially unknown assets alongside domains with misconfigured DNS records. 

But even after sending EA a detailed document about the problems and a proof of concept, Cyberpion co-founder Ori Engelberg told ZDNet that EA did nothing to address the issues. 

Engelberg said EA responded with an acknowledgment of receiving the information on these vulnerabilities and said they would contact Cyberpion if they had any additional questions. But they never did. 

"We inspect the entire internet but as gamers, we are customers of EA. So many of our employees play FIFA and other games. We love EA so we wanted to contact them to help because their online presence is significant," Engelberg said. 

"What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that's the easiest door to the company. It isn't even a door. It is something simpler." 

He explained that, by using the stolen domains, malicious actors could send emails purporting to be from EA and ask people to send account information or other data. EA was already facing backlash last week after it was revealed that a "chain of vulnerabilities" could have allowed attackers to gain access to personal information and take control of accounts.

In recent weeks, Motherboard reported that the massive data breach EA suffered was due to a hackers' ability to abuse Slack privileges to gain access to an account. 

Hackers on forums boasted about stealing 780 GB of data from the company and gaining full access to FIFA 21 matchmaking servers, FIFA 22 API keys, and some software development kits for Microsoft Xbox and Sony. They also purport to have much more, including the source code and debugging tools for Frostbite, which powers EA's most popular games like Battlefield, FIFA, and Madden.

But before the breach through Slack, Engelberg and his team had repeatedly warned EA that at least six -- now more than 10 according to Engelberg -- vulnerabilities left multiple domains and other assets free for the taking. 

Domains like occo.ea.com were vulnerable to takeover and the Cyberpion team found 15 EA sites -- like wwe-forums.ea.com, api.pogo.com, and api.alphe.pogo.com -- serving login pages over HTTP. 

Stats.ea-europe.com serves a mismatched certificate and its DNS record points to an IP address of a non-EA site while easportsfootball.it as well as easoweb01.ea.com serve certificates that expired seven and nine years ago, respectively.

Cyberpion researchers discovered that the SOA record of ea-europe.com refers to an authoritative name server that has a private IP address. A local DNS server on this address can return whatever address its operator decides for eaeurope.com. 

They also identified over 500 DNS misconfigurations across EA's domains.

Engelberg noted that he has seen dozens of examples of hackers taking over the domain of an organization and sending emails from that domain to suppliers as a way to spread an attack.  

"Suppliers are even more vulnerable than employees and customers because it is very common for them to get emails from people inside the customer organization that they don't know," Engelberg explained. 

"This is something that is very easy to abuse because somebody can take over an external infrastructure through which it is possible now to send emails, to issue a valid certificate, to operate a site that looks just like the login of EA. It is EA's certificate, it is EA's domain. It was also possible to send and read emails from the domains."

Engelberg said he simulated an attack for EA in December but the company never addressed the issue, allowing it to worsen as more assets became vulnerable to takeover. 

While Engelberg said he was not surprised EA got hacked through Slack earlier this month, he did sympathize with their plight, noting that the company's security team probably has hundreds of action items to handle. 

The issues caught by Cyberpion also involve EA's supply chain, making them more difficult to solve, Engelberg added. 

"In most cases, it is about being connected to some infrastructure which is not controlled by your organization. The basic thing that could be done is to cut the connection. Even before you understand who owns or created these," he said. 

"Just shut down the asset. You have an asset. It could be taken over, so shut it down. Delete all the DNS records and just make sure it is no longer active." 

Vulnerabilities like the ones found by Cyberpion are common across the internet and Engelberg explained that his team has found dozens of Fortune 500 companies with similar issues. 

But according to Akamai's new report Gaming in a Pandemic, this issue is big within the gaming industry. Web application attacks targeting the video game industry grew by 340% in 2020, a higher rate than any other sector during the COVID-19 pandemic.

"It is basically a matter of external attack surface management. In the end, enterprises do not know about their entire perimeter. They are distributedly managed. Somebody can create an asset and it will not be done via the IT or the security teams," Engelberg said. 

"Even assets that are known to the security team may have changes they don't know about. If the hackers can achieve what they want without penetrating the organization but by hacking a third, fourth, or fifth party that you are connected to, why not? You have no visibility over the attack and you will find your data in the dark web three years from now." 

K2 Cyber Security co-founder Jayant Shukla agreed with Cyberpion's take on the issues and said most of the vulnerabilities stem from not keeping configurations up to date or removing subdomains when they're no longer needed.  

Shukla noted that while non-valid certificates are a legitimate issue and will prevent security-conscious users from not visiting the site, it does not give attackers control over the domain. But the issue of DNS records is crucial for any company, Shukla told ZDNet.  

"In the end, none of these vulnerabilities appeared to threaten customer-facing interactions but decommissioning unused subdomains and keeping certificates up to date will go a long way to ensuring network operations are secure," Shukla said. 

Shukla also questioned why EA released control over the occo.ea.com subdomain, speculating that it was not used often by EA. 

"The process of commissioning a subdomain is followed by everyone, but that does not happen when the subdomain is decommissioned. This is what the creators of the report seem to have exposed," Shukla added.

Cyberpion's system found that EA fixed 7 of the critical issues in their assets over the last 48 hours after they were reached for comment by ZDNet

A spokesperson for EA later responded by saying Cyberpion approached them as a potential vendor. The spokesperson added that the cybersecurity company did not give them a full list of vulnerabilities and instead asked for a sales meeting "to show off their techniques."

EA also defended itself by saying that Cyberpion did not follow their product security vulnerability disclosure process.