An EA Games vulnerability allowed anyone to hijack a registered player’s account giving them full access and control without the player knowing, or having to interact with the hacker in any way. Some 300 million may have been affected.
Israeli cyber security firms CyberInt and Check Point have discovered that they could manipulate how EA Games had registered their domains, hijacking a subdomain in Microsoft’s Azure cloud to fully take over player accounts.
EA Games, worth some $5 billion by revenues, develops, sells and hosts some of the biggest game brands in the industry; from sports games such as FIFA, Madden and NBA, to popular FPS games like Battlefield and Medal of Honor. All of these titles are sold on EA Games digital distribution platform Origin.
The Origin gaming platform also lets account holders connect with friends either via chat applications or by joining gaming sessions directly and includes community integration with networking sites such as Facebook, Xbox Live, PlayStation Network, and Nintendo Network.
The vulnerability discovered by the researchers allows them to completely take over a user’s account by steadily stacking vulnerabilities to the point where they can obtain a user’s Single Sign On (SSO) token.
Check Point has disclosed the security issue to EA Games and are working with them to fix the vulnerability.
Adrian Stone Senior Director of Game and Platform Security at Electronic Arts commented in an emailed statement: “Protecting our players is our priority. As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues. Working together under the tenet of Coordinated Vulnerability Disclosure strengthens our relationships with the wider cybersecurity community and is a key part of ensuring our players stay secure.”
The EA Games platform uses several different domain names to run its service such as ea.com and origin.com, the latter operating as the digital store for EA. Both of these domains provide user access to EA accounts.
Cloud-based services like EA Games have a unique subdomain address registered to a specific cloud supplier host, for example eaplayinvite.ea.com has a DNS pointer to the host list ea-invite-reg.azurewebsites.net, which then runs the service in the background.
EA games uses Microsoft Azure to host several of its domain names including ea.com and origin.com, Azure user account holders can request to register a specific service name to connect a domain and subdomain.
In its investigation of EA’s platform CyberInt found that the ea-invite-reg.azurewebsites.net service was no longer in-use within Azure cloud services: “However the unique subdomain eaplayinvite.ea.com still redirect to it using the CNAME configuration.”
“The CNAME redirection of eaplayinvite.ea.com allows us to create a new successful registration request at our own Azure account and register ea-invite-reg.azurewebsites.net as our new web application service. This allowed us to essentially hijack the subdomain of eaplayinvite.ea.com and monitor the requests made by EA valid users,” the researchers note.
As a result they have effectively hijacked the domain information redirect so that now the eaplayinvite.ea.com redirects to their Azure cloud web service account.
Through a series of steps, a hacker hacker could then grab SSO tokens. Check Point did this in part by modifying the returnURI parameter within a users’ HTTP request to its hijacked sub-domain of EA. The company bypassed HTTP Referer header validation by coding a new Iframe onto the index page of its hijacked subdomain, so the request would be initiated from the Iframe and bypass the server validation.
Oded Vanunu Head of Products Vulnerability Research at Check Point commented in an emailed statement that: “EA’s Origin platform is hugely popular; and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users’ accounts.”
“Along with the vulnerabilities we recently found in the platforms used by Epic Games for Fortnite, this shows how susceptible online and cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of huge amounts of sensitive customer data they hold.”
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.