[BreachExchange] EA Games Login Flaw Exposed Accounts of 300 Million Gamers

[Destry Winant]

https://www.securityweek.com/ea-games-login-flaw-exposed-accounts-300-million-gamers

Researchers have discovered a chain of flaws in EA Games' login
process that could allow an attacker to take over the accounts of any
or multiple EA gamers -- and there are 300 million of these around the
globe. Stolen gaming credentials are valuable and frequently sold on
the internet.

The flaws were discovered in EA's Origin platform and worked into a
proof of concept by Check Point Research and Cyberint (PDF)
researchers.

"If a hacker had exploited the flaws," said Oded Vanunu, head of
products vulnerability research at Check Point, "they could have taken
over a legitimate Origin user's entire account. They would be able to
lock the real user out by changing passwords, impersonate them to
online friends, access personal account data, and if a credit card was
linked to the account, make in-game purchases and more."

There are two key elements to the vulnerability -- an abandoned cloud
domain, and overly permissive EA login code.

Companies frequently use a cloud provider to host temporary projects,
such as a marketing campaign or an application level operation. "In
using the cloud provider [in this case Azure] you get a connection
through the DNS from one of your own subdomains into the registration
within the cloud provider and the temporary cloud server," Itay
Yanovski, founder and SVP strategy at Cyberint, told SecurityWeek.

When the temporary project is complete, the company takes down the
server and stops using the subdomain. The IP address now goes nowhere,
but the record persists. "So an attacker, in this case our
researchers," continued Yanovski, "can reconnect the subdomain to
another asset within the cloud provider environment -- and it was in
this way we took over a subdomain that was previously owned by the
original company -- EA Games."

More specifically, in this case, EA had changed the
'ea-invite-reg-azurewebsites.net' CNAME record so that the subdomain,
'eaplayinvite.com' no longer pointed to it. This meant that
'eaplayinvite.ea.com' now lead to a dead link. "Given this
misconfiguration," says Cyberint, "the service name 'ea-invite-reg'
was successfully registered as a new web application service using a
Microsoft Azure account under our control, restoring the
ea-invite-reg.azurewebsites.net subdomain and subsequently allowing
the eaplayinvite.ea.com subdomain to be hijacked along with the
interception of any legitimate EA Games' user requests."

The second key element to this vulnerability was a flaw in EA's login
code. The basic process generates an SSO authentication token with the
oAuth protocol. "A flaw in this code," explained Yanovski, "allowed
the login token to be redirected to any subdomain owned by EA." The
code was simply too permissive. In this case, the subdomain owned by
EA had already been hijacked by the researchers-could-be-hackers. "The
weakness," continued Yanovski, "was the that EA code assumed that any
domain owned by EA was benign."

With these two elements, attackers could phish Origin gamers to login
to EA, but have the tokens redirected to the hijacked subdomain and
thence on to the attacker. "With the access token now in the hands of
the attacker," explains Check Point, "he can log in to the user's
Origin account and view any data stored there, including the ability
to buy more games and accessories at the user's expense. Needless to
say, that along with this massive invasion of privacy, the financial
risks and potential for fraud is vast."

Vanunu continued, "The vulnerabilities found by our researchers in
EA's platform did not require users to hand over any login details
whatsoever. Instead, they took advantage of abandoned EA subdomains
and EA Games' use of authentication tokens in conjunction with the
OAuth Single Sign-On (SSO) and TRUST mechanism built into EA Game's
user login process. Researchers were able to demonstrate how these
tokens could be captured, enabling a hacker to log into and take over
players' accounts."

The vulnerability is similar in concept to one disclosed by Check
Point in January 2019 with the Fortnite game. Epic Games' Fortnite,
however, had a mere 80 million gamers compared to EA's 300 million
gamers. The vulnerability could potentially apply to other companies
with abandoned sub-domains. Cyberint believes that 96% of Fortune 500
companies have such subdomains.

Cyberint and Check Point responsibly disclosed their findings to EA
Games, and worked with the company to help fix the flaws and roll out
an update before any threat actor could exploit them. EA responded
rapidly, and the vulnerabilities have now been fixed. The researchers
believe that the vulnerabilities have never been exploited.
Nevertheless, they urge gamers to use two-factor authentication
wherever possible.