View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

EA Games Vulnerability Could Leave 300m Open to Account Hijacking

"These platforms are being increasingly targeted by hackers because of huge amounts of sensitive customer data they hold.”

By CBR Staff Writer

An EA Games vulnerability allowed anyone to hijack a registered player’s account giving them full access and control without the player knowing, or having to interact with the hacker in any way. Some 300 million may have been affected.

Israeli cyber security firms CyberInt and Check Point have discovered that they could manipulate how EA Games had registered their domains, hijacking a subdomain in Microsoft’s Azure cloud to fully take over player accounts.

EA Games, worth some $5 billion by revenues, develops, sells and hosts some of the biggest game brands in the industry; from sports games such as FIFA, Madden and NBA, to popular FPS games like Battlefield and Medal of Honor. All of these titles are sold on EA Games digital distribution platform Origin.

The Origin gaming platform also lets account holders connect with friends either via chat applications or by joining gaming sessions directly and includes community integration with networking sites such as Facebook, Xbox Live, PlayStation Network, and Nintendo Network.

The vulnerability discovered by the researchers allows them to completely take over a user’s account by steadily stacking vulnerabilities to the point where they can obtain a user’s Single Sign On (SSO) token.

Check Point has disclosed the security issue to EA Games and are working with them to fix the vulnerability.

Adrian Stone Senior Director of Game and Platform Security at Electronic Arts commented in an emailed statement: “Protecting our players is our priority. As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues. Working together under the tenet of Coordinated Vulnerability Disclosure strengthens our relationships with the wider cybersecurity community and is a key part of ensuring our players stay secure.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

EA Games Hack Done By Stacking Vulnerabilities

The EA Games platform uses several different domain names to run its service such as ea.com and origin.com, the latter operating as the digital store for EA. Both of these domains provide user access to EA accounts.

Cloud-based services like EA Games have a unique subdomain address registered to a specific cloud supplier host, for example eaplayinvite.ea.com has a DNS pointer to the host list ea-invite-reg.azurewebsites.net, which then runs the service in the background.

EA games uses Microsoft Azure to host several of its domain names including ea.com and origin.com, Azure user account holders can request to register a specific service name to connect a domain and subdomain.

In its investigation of EA’s platform CyberInt found that the ea-invite-reg.azurewebsites.net service was no longer in-use within Azure cloud services: “However the unique subdomain eaplayinvite.ea.com still redirect to it using the CNAME configuration.”

“The CNAME redirection of eaplayinvite.ea.com allows us to create a new successful registration request at our own Azure account and register ea-invite-reg.azurewebsites.net as our new web application service. This allowed us to essentially hijack the subdomain of eaplayinvite.ea.com and monitor the requests made by EA valid users,” the researchers note.

EA Games Hack

Fig 1: The DNS pointer for eaplayinvite.ea.com points to the CNAME record, ea-invite-reg.azurewebsites.net

As a result they have effectively hijacked the domain information redirect so that now the eaplayinvite.ea.com redirects to their Azure cloud web service account.

Through a series of steps, a hacker hacker could then grab SSO tokens. Check Point did this in part by modifying the returnURI parameter within a users’ HTTP request to its hijacked sub-domain of EA. The company bypassed HTTP Referer header validation by coding a new Iframe onto the index page of its hijacked subdomain, so the request would be initiated from the Iframe and bypass the server validation.

Oded Vanunu Head of Products Vulnerability Research at Check Point commented in an emailed statement that: “EA’s Origin platform is hugely popular; and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users’ accounts.”

“Along with the vulnerabilities we recently found in the platforms used by Epic Games for Fortnite, this shows how susceptible online and cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of huge amounts of sensitive customer data they hold.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU