Prolific video game developer Electronic Arts Inc. (aka EA Games) has reportedly patched a pair of vulnerabilities that attackers could have exploited to hijack millions of player accounts, access their payment card information and make fraudulent purchases.
The first flaw could have allowed actors to hijack an EA Games subdomain, while the other could have enabled abuse of the oAuth protocol, resulting in an invalid redirection, according to researchers at Check Point Software Technologies and CyberInt, in separate blog post reports.
Based in Redwood City, California, EA develops such popular titles as FIFA, Madden NFL, NBA Live, Apex Legends, Battlefield, Need for Speed, The Sims, Star Wars: The Old Republic and Titanfall.
The subdomain hijack was made possible because the EA Games subdomain eaplayinvite.ea.com was observed connecting via CNAME (Canonical Name) record to an obsolete Microsoft Azure web address, ea-invite-reg.azurewebsites.net, that at one time hosted cloud-based services for the gaming company.
Because ea-invite-reg.azurewebsites.net was no longer active, the researchers were able to register that web address with their own private Microsoft Azure account, claiming it as their own. "This allowed us to essentially hijack the subdomain of eaplayinvite.ea.com and monitor the requests made by EA valid users," Check Point researchers stated in their blog post.
"If we were the real hackers, this would have become our foothold into the company's digital assets from where we would launch our account takeover attack," CyberInt said in its own blog post.
To perform such a takeover, the attackers would have needed to tamper with the oAuth protocol implementation by abusing the SSO trust mechanism that exists between the domains and subdomains of ea.com and origins.com, the website for EA's self-developed Origin gaming platform. In essence, the actors could have redirected users' generated SSO authentication tokens to the hijacked subdomain.
At that point, the attackers could have intruded into the account and engaged in fraudulent activity, without ever having to socially engineer users into giving away their log-in information.
In its company blog post, Check Point explained the process: "As part of a successful authentication process with EA global services via answers.ea.com, an oAuth HTTP request is sent to accounts.ea.com in order to get a new user SSO token, then the application should redirect it through signin.ea.com to the final EA service called answers.ea.com to identify the user. We found, however, that it was actually possible to determine the EA service address which the oAuth token is generated for by modifying the returnURI parameter within the HTTP request to our hijacked subdomain of EA, eaplayinvite.ea.com."
It wasn't quite that easy, as EA did have to engineer bypasses for a pair of limitations that EA had introduced. But "Despite the fact that EA games did not make our lives easy by implementing security measures in line with the best industry practices, we were able to trick users into visiting a malicious landing page that contained the payload, which enabled us to eventually hijack the session," CyberInt reported.
According to the researchers, EA successfully fixed the vulnerabilities following private disclosure, and its 300 account holders are now safe from this potential threat.
An EA spokesperson supplied SC Media with the following statement: "This [issue] was reported to EA privately by CyberInt through our Coordinated Vulnerability Disclosure program. As soon as the issue was raised, EA engaged with CyberInt to fix the vulnerability reported. We also closely monitored the situation and were able to verify that the vulnerability was not exploited and no player information was exposed."
