EA Origins is one of many different platforms for distributing games. It features titles such as the Dragon Age series, The Sims, and Battlefield. Unfortunately, the large userbase makes the platform a target for security breaches. EA patched the issue, although this flaw left as many as 300 million user accounts exposed to hijacking. Instead of gathering usernames and passwords, the exploit would have allowed hackers to break into accounts using Single Sign-On tokens instead. These access tokens function similarly to passwords, allowing players to access their accounts using generated codes. This isn’t the first instance of such a vulnerability; Check Point discovered a similar issue in Fortnite earlier this year.
Instead of compromising user accounts using phishing techniques, many have turned to pilfering these access tokens. Rather than have people enter account information on a website, they can gather tokens without input from the account owner. Malicious coding is sufficient to take the information and squirrel it away for use by unknown parties. CTO and Bugcrowd founder Casey Ellis commented on the situation.
The good news is that this is a vulnerability, not the confirmation of a breach. EA was alerted to the critical vulnerability before it could be exploited by malicious actors.
Gaming companies, like EA, have a tendency to grow rapidly once their games get traction in the market, and speed to market is the natural enemy of security. Security efforts just can’t keep up or often isn’t even considered in the software development lifecycle.
This is an interesting vulnerability chain, taking advantage of issues that we see frequently in the Bugcrowd program: authentication implementation problems, specifically around SAML, and squatted/orphaned domains. This news just goes to show that engaging with the whitehat hacker community to perform attack surface discovery, and maintain that feedback loop on an ongoing basis, is the only way to identify these types of issues as they are inevitably introduced into the wild.
Cybersecurity researchers at CyberInt and Check Point took over inactive Microsoft Azure URL eaplayinvite.ea.com. The researchers turned the innocuous domain into a phishing trap. Players were much more likely to trust the EA domain link in documentation. Code in the website allowed the researchers to steal access tokens intended for the EA servers and divert the information to the researchers. The accounts now compromised, CyberInt and Check Point contacted EA in mid-February regarding the security flaw. EA declared it fixed the issue in the span of three weeks.
Director of Game and Platform Security Adrian Stone gave a statement to cnet regarding the issue:
“Protecting our players is our priority. As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues.”
Always, always, always use options like 2-Factor Authentication if it’s available. I’ve learned this the hard way. Usernames and passwords are no longer sufficient in this day and age to protect your accounts.