A researcher has found a bug in EA’s Origin software which could allow malicious parties to gain access to users’ account data.
The bug, which has since been fixed by EA, was discovered by “Beard” (obviously not their real name), a security researcher. Speaking to ZDNet, Beard confirmed that they originally discovered the bug on October 1st. When users try to edit their account on EA.com via the Origin client, the software will generate an auto-login URL which contains the user’s active username and password.
Where things get troublesome is the way in which the auto-login protocol is used. Usually, the user’s IP address or cookies are used in the authentication process, which means it’s impossible for anyone other than that user to access their information. In the case of this Origin bug, though, the auto-login URL wasn’t tied to either of these fail-safes, so the URL would work regardless of IP address or browser being used. A tweet by Beard accompanied the discovery in which a video showing the bug in action was included.
Hey @EAHelp @EA can we get someone to contact us at [email protected]? Auto-Login URL's are a very bad idea. Video below showcasing this bug, and allowing it to auto sign into an account on a browser with no cache or history of ever being to https://t.co/KvS2LlbXkv. pic.twitter.com/HGXoFUIvyI
— beard (@beardlyness) October 7, 2018
Users who are accessing their EA account via unsecured WiFi hotspots like cafes or hotels could easily be compromised if a malicious party took advantage of these unsecured links. Worse still, the auto-login URLs could be collected by malware or bots, hypothetically allowing criminals to harvest EA account data with abandon. Beard says attackers could access players’ real names, the final four digits of a credit card number, the final digits of a phone number, and more.
According to the ZDNet article, EA was made aware of the bug earlier this month and worked quickly on a fix. EA says a fix was rolled out earlier in November, and that it doesn’t appear that any users’ data has been accessed through this method. Still, it’s worrying that something so fundamental was overlooked by EA for so long. Definitely keep this bug in mind when you’re using Origin in future.
How do you feel about EA’s handling of the bug’s discovery? Will this affect you using Origin in the future? Let us know in the comments below!