Researchers have discovered a chain of flaws in EA Games’ login process that could allow an attacker to take over the accounts of any or multiple EA gamers — and there are 300 million of these around the globe. Stolen gaming credentials are valuable and frequently sold on the internet.
The flaws were discovered in EA’s Origin platform and worked into a proof of concept by Check Point Research and Cyberint (PDF) researchers.
“If a hacker had exploited the flaws,” said Oded Vanunu, head of products vulnerability research at Check Point, “they could have taken over a legitimate Origin user’s entire account. They would be able to lock the real user out by changing passwords, impersonate them to online friends, access personal account data, and if a credit card was linked to the account, make in-game purchases and more.”
There are two key elements to the vulnerability — an abandoned cloud domain, and overly permissive EA login code.
Companies frequently use a cloud provider to host temporary projects, such as a marketing campaign or an application level operation. “In using the cloud provider [in this case Azure] you get a connection through the DNS from one of your own subdomains into the registration within the cloud provider and the temporary cloud server,” Itay Yanovski, founder and SVP strategy at Cyberint, told SecurityWeek.
When the temporary project is complete, the company takes down the server and stops using the subdomain. The IP address now goes nowhere, but the record persists. “So an attacker, in this case our researchers,” continued Yanovski, “can reconnect the subdomain to another asset within the cloud provider environment — and it was in this way we took over a subdomain that was previously owned by the original company — EA Games.”
More specifically, in this case, EA had changed the ‘ea-invite-reg-azurewebsites.net’ CNAME record so that the subdomain, ‘eaplayinvite.com’ no longer pointed to it. This meant that ‘eaplayinvite.ea.com’ now lead to a dead link. “Given this misconfiguration,” says Cyberint, “the service name ‘ea-invite-reg’ was successfully registered as a new web application service using a Microsoft Azure account under our control, restoring the ea-invite-reg.azurewebsites.net subdomain and subsequently allowing the eaplayinvite.ea.com subdomain to be hijacked along with the interception of any legitimate EA Games’ user requests.”
The second key element to this vulnerability was a flaw in EA’s login code. The basic process generates an SSO authentication token with the oAuth protocol. “A flaw in this code,” explained Yanovski, “allowed the login token to be redirected to any subdomain owned by EA.” The code was simply too permissive. In this case, the subdomain owned by EA had already been hijacked by the researchers-could-be-hackers. “The weakness,” continued Yanovski, “was the that EA code assumed that any domain owned by EA was benign.”
With these two elements, attackers could phish Origin gamers to login to EA, but have the tokens redirected to the hijacked subdomain and thence on to the attacker. “With the access token now in the hands of the attacker,” explains Check Point, “he can log in to the user’s Origin account and view any data stored there, including the ability to buy more games and accessories at the user’s expense. Needless to say, that along with this massive invasion of privacy, the financial risks and potential for fraud is vast.”
Vanunu continued, “The vulnerabilities found by our researchers in EA’s platform did not require users to hand over any login details whatsoever. Instead, they took advantage of abandoned EA subdomains and EA Games’ use of authentication tokens in conjunction with the OAuth Single Sign-On (SSO) and TRUST mechanism built into EA Game’s user login process. Researchers were able to demonstrate how these tokens could be captured, enabling a hacker to log into and take over players’ accounts.”
The vulnerability is similar in concept to one disclosed by Check Point in January 2019 with the Fortnite game. Epic Games’ Fortnite, however, had a mere 80 million gamers compared to EA’s 300 million gamers. The vulnerability could potentially apply to other companies with abandoned sub-domains. Cyberint believes that 96% of Fortune 500 companies have such subdomains.
Cyberint and Check Point responsibly disclosed their findings to EA Games, and worked with the company to help fix the flaws and roll out an update before any threat actor could exploit them. EA responded rapidly, and the vulnerabilities have now been fixed. The researchers believe that the vulnerabilities have never been exploited. Nevertheless, they urge gamers to use two-factor authentication wherever possible.