What makes the latest Origin exploit rather dangerous is the fact that it does not require intervention from the user with respect to handing over their logins or passcode information. In this case, the exploit allows an attacker to steal tokens associated with oAuth Single Sign-On (SSO) and TRUST routines in place with the EA Games user login process.
As a result, Check Point and CyberInt were able to hijack a number of ea.com and origin.com subdomains to perform a full takeover of user accounts. The researchers were able to hijack eaplayinvite.ea.com, which had previously been an inactive subdomain hosted on Microsoft Azure.
“EA’s Origin platform is hugely popular; and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users’ accounts,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point. “Along with the vulnerabilities we recently found in the platforms used by Epic Games for Fortnite, this shows how susceptible online and cloud applications are to attacks and breaches.” With access to the subdomain, the research team was able to setup a phishing page masquerading as an official EA site – using an official EA domain – to steal access tokens.
For its part, EA thanked the researchers for discovering the vulnerabilities. Given that Check Point and CyberInt are reputable security research firms that don’t have an axe to grind, they were able to disclose the vulnerabilities to EA, giving them time to address the issues, before going public with their findings.
“Protecting our players is our priority,” said Adrian Stone, Senior Director for Game and Platform Security at EA. “We [have] engaged our product security response process to remediate the reported issues. Working together under the tenet of Coordinated Vulnerability Disclosure strengthens our relationships with the wider cybersecurity community and is a key part of ensuring our players stay secure.”
According to EA, it has over 300 million registered gamers around the world using its services.