Cloud Security, Network Security, Vulnerability Management

Pair of vulnerabilities could have enabled takeover of EA gamer accounts

Prolific video game developer Electronic Arts Inc. (aka EA Games) has reportedly patched a pair of vulnerabilities that attackers could have exploited to hijack millions of player accounts, access their payment card information and make fraudulent purchases.

The first flaw could have allowed actors to hijack an EA Games subdomain, while the other could have enabled abuse of the oAuth protocol, resulting in an invalid redirection, according to researchers at Check Point Software Technologies and CyberInt, in separate blog post reports.

Based in Redwood City, California, EA develops such popular titles as FIFA, Madden NFL, NBA Live, Apex Legends, Battlefield, Need for Speed, The Sims, Star Wars: The Old Republic and Titanfall.

The subdomain hijack was made possible because the EA Games subdomain was observed connecting via CNAME (Canonical Name) record to an obsolete Microsoft Azure web address,, that at one time hosted cloud-based services for the gaming company.

Because was no longer active, the researchers were able to register that web address with their own private Microsoft Azure account, claiming it as their own. "This allowed us to essentially hijack the subdomain of and monitor the requests made by EA valid users," Check Point researchers stated in their blog post.

"If we were the real hackers, this would have become our foothold into the company's digital assets from where we would launch our account takeover attack," CyberInt said in its own blog post.

To perform such a takeover, the attackers would have needed to tamper with the oAuth protocol implementation by abusing the SSO trust mechanism that exists between the domains and subdomains of and, the website for EA's self-developed Origin gaming platform. In essence, the actors could have redirected users' generated SSO authentication tokens to the hijacked subdomain.

At that point, the attackers could have intruded into the account and engaged in fraudulent activity, without ever having to socially engineer users into giving away their log-in information.

In its company blog post, Check Point explained the process: "As part of a successful authentication process with EA global services via, an oAuth HTTP request is sent to in order to get a new user SSO token, then the application should redirect it through to the final EA service called to identify the user. We found, however, that it was actually possible to determine the EA service address which the oAuth token is generated for by modifying the returnURI parameter within the HTTP request to our hijacked subdomain of EA,"

It wasn't quite that easy, as EA did have to engineer bypasses for a pair of limitations that EA had introduced. But "Despite the fact that EA games did not make our lives easy by implementing security measures in line with the best industry practices, we were able to trick users into visiting a malicious landing page that contained the payload, which enabled us to eventually hijack the session," CyberInt reported.

According to the researchers, EA successfully fixed the vulnerabilities following private disclosure, and its 300 account holders are now safe from this potential threat.

An EA spokesperson supplied SC Media with the following statement: "This [issue] was reported to EA privately by CyberInt through our Coordinated Vulnerability Disclosure program. As soon as the issue was raised, EA engaged with CyberInt to fix the vulnerability reported. We also closely monitored the situation and were able to verify that the vulnerability was not exploited and no player information was exposed."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.