A flaw was found in EA Origin that could have exposed 300 million players to account takeovers. The flaw would have allowed hackers to hijack people’s accounts without stealing their login or passwords. That’s because it would steal a Single Sign-On authorization token instead, which could give complete control for hackers. The security researchers that discovered the flaw were able to take control of an EA subdomain, under the URL “eaplayinvite.ea.com,” which was an inactive domain hosted on Microsoft’s Azure cloud service. They could send the malicious page to players, and since it was an EA domain, victims would be more likely to trust the link, researchers said. The hijacked page had code embedded that would take access tokens intended for EA and direct it toward the researchers instead.
Account Takeover Vulnerability Found in the Popular EA Games' Origin Platformhttps://t.co/SLEhZJrnYw
Checkout the video demonstration shared by CheckPoint researchers.
—by @unix_root pic.twitter.com/4rff0P2xC1
— The Hacker News (@TheHackersNews) June 26, 2019
Experts Comments:
Jonathan Bensen, CISO at Balbix:
“Digital transformation has facilitated an exponential increase in the size of the enterprise attack surface. Corporate security teams are often overloaded with the mountainous task of keeping tabs on the hundreds of thousands of digital assets connected to their organization’s network. What’s more, 51 percent of organizations report a problematic shortage of cybersecurity skills, according to ESG’s annual survey. Seeing as data theft and cyber-attacks pose significant threats to companies around the world, organizations must adopt a robust solution that can assist corporate security teams in proactively identifying vulnerabilities that could lead to data exposure. Failing to secure data could lead to lawsuits and fines under data privacy regulations. For example, under GDPR, the fines could be 4 percent of annual global turnover.
AI has rapidly gained interest as a valuable approach that can help security teams to monitor the swathes of data being generated from all devices, apps and users present in a network for potential vulnerabilities or cyber-risks. The top AI-based security tools can automatically discover and monitor all IT assets across a broad range of attack vectors, prioritize remediations based on business risk and even implement automatic remediation workflows by integrating into enterprise ticketing and security orchestration systems.”
Ben Herzberg, Director, Threat Research at Imperva:
“This shows how in cybersecurity sometimes small things (like misconfiguring a sub-domain) can lead to security holes in products, and is another reason why organizations should take the necessary steps to protect their data & applications.
This is especially true in the gaming industry, which is known to be in focus of many attackers. As an example, attackers are targeting web applications in order to run scams around games like Fortnite, and we at Imperva see gaming targets as one of the top 5 most attacked industry verticals.”
Casey Ellis, CTO and Founder at Bugcrowd:
The good news is that this is a vulnerability, not the confirmation of a breach. EA was alerted to the critical vulnerability before it could be exploited by malicious actors.
Gaming companies, like EA, have a tendency to grow rapidly once their games get traction in the market, and speed to market is the natural enemy of security. Security efforts just can’t keep up or often isn’t even considered in the software development lifecycle.
This is an interesting vulnerability chain, taking advantage of issues that we see frequently in the Bugcrowd program: authentication implementation problems, specifically around SAML, and squatted/orphaned domains. This news just goes to show that engaging with the whitehat hacker community to perform attack surface discovery, and maintain that feedback loop on an ongoing basis, is the only way to identify these types of issues as they are inevitably introduced into the wild.
Anurag Kahol, CTO at Bitglass:
“When individuals create profiles on websites, they should be able to trust that their accounts won’t be hacked. While no credentials were leaked and no personal information was stolen by hackers through the EA vulnerability, 300 million consumers could have had their accounts and their data exposed if researchers hadn’t found the issue and intervened. Despite this particular scenario, companies can’t rely upon third parties to find and fix security problems in their systems. As such, organizations must take a more proactive approach to defending customers’ personal information and accounts.”
Samantha Humphries, Senior Product Marketing Manager at Exabeam:
“This could have resulted in a much uglier situation, thankfully all parties did the right thing. Responsible vulnerability disclosure and prompt vendor response make the all the difference to ensuring consumer privacy, data security, and ultimately trust.”
