Researchers Discover Bugs In EA's Origin That Exposed Millions Of Accounts

Image: Kotaku

Security researchers Check Point Research have revealed that a string of bugs in the Origin game launcher — which EA has since patched with their help — exposed millions of accounts to exploits that allowed hackers access to player accounts and the ability to buy games on those accounts, without having to hand over any login details.

The exploit, as outlined in a blog post here, revolves around how EA's Origin client handled its use of authentication tokens.

Essentially, it plays out like this. The Origin service uses the Microsoft's Azure network, and that network hosts a range of servers and subdomains.

CyberInt, who assisted Check Point Research in finding the vulnerability, discovered a subdomain that was redirecting to a service that was no longer in use. But because the redirect was still in place, researchers were able to create new registration requests using their own Microsoft Azure account, which allowed them to monitor any valid registration requests made by people going through the service.

From there, researchers were able to redirect the requests to their own Azure service, which got them thinking about the relationship between the main domain names for the Origin service — and the official Origin website — and its subdomains.

Following a similar logic for the initial vulnerability, researchers were able to find the address that generates the authentication tokens for the Origin client — and from there, they could change a parameter so the HTTP request redirected to their hijacked subdomain, and not the official server.

The researchers' hijacked EA domain page.

To get around any barriers in place from EA, their hijacked "" page contained a hidden iframe linking back to the official EA accounts page, which was sufficient to trick the service into bypassing the server validation process.

All of this was bad enough, but it still didn't give the researchers access to other accounts. They were able to redirect authenticated EA players to their servers instead of the official ones, but that wasn't enough to grant access.

But some investigation revealed that logging in via the hijacked subdomain also contained the account's single sign-on (SSO) token, which was enough to grant researchers access to the account.

You can see the full attack, which includes the ability to purchase in-game items, currency and goods through Origin on other accounts, in action below. You're best off watching without sound though, unless you enjoy listening to awful dubstep.

The vulnerable SSO flaw isn't too dissimilar from a vulnerability patched out by Epic at the start of the year — which Check Point Research discovered and chronicled — that allowed hackers to access Fortnite accounts, where hackers could create malicious links via legitimate subdomains.

And the exploits are just another reminder why more users are increasingly wary about multiple competing digital marketplaces. It's not the prospect of competition that's the problem — it's opening multiple attack vectors for your personal information and credit card details. No software is perfect, and there will always be more hackers than engineers.


    So there's basically two problems:

    1. an subdomain had a CNAME record pointing at a domain that EA didn't control. In this case it was an unclaimed Azure application domain, but the attack would have been equally effective if it was an expired domain. With domain validation, that's enough to get a TLS certificate to make the website look secure to the user. We're decades past the point where someone would telephone the company before issuing the certificate.

    2. They have an OAuth server that allows response_type=token requests, leading to OAuth tokens being sent to the user's browser. Combine this with a trusted redirect_uri site that will happily leak the token to the site registered in (1).

    It seems (2) could have been avoided completely if EA's server required clients to use response_type=code, which doesn't involve sending the access token to the user's browser. This wouldn't prevent a malicious site from initiating an authentication request using another site's client ID, but instead of getting an access token, they'd receive a code that is useless without the corresponding client secret.

    Well this is shocking news, who would've guessed they had millions of accounts!

Join the discussion!

Trending Stories Right Now