Security researchers Check Point Research have revealed that a string of bugs in the Origin game launcher — which EA has since patched with their help — exposed millions of accounts to exploits that allowed hackers access to player accounts and the ability to buy games on those accounts, without having to hand over any login details.
The exploit, as outlined in a blog post here, revolves around how EA's Origin client handled its use of authentication tokens.
Essentially, it plays out like this. The Origin service uses the Microsoft's Azure network, and that network hosts a range of servers and subdomains.
CyberInt, who assisted Check Point Research in finding the vulnerability, discovered a subdomain that was redirecting to a service that was no longer in use. But because the redirect was still in place, researchers were able to create new registration requests using their own Microsoft Azure account, which allowed them to monitor any valid registration requests made by people going through the eaplayinvite.ea.com service.
From there, researchers were able to redirect the eaplayinvite.ea.com requests to their own Azure service, which got them thinking about the relationship between the main domain names for the Origin service — EA.com and the official Origin website — and its subdomains.
Following a similar logic for the initial vulnerability, researchers were able to find the address that generates the authentication tokens for the Origin client — and from there, they could change a parameter so the HTTP request redirected to their hijacked subdomain, and not the official server.
To get around any barriers in place from EA, their hijacked "eaplayinvite.ea.com" page contained a hidden iframe linking back to the official EA accounts page, which was sufficient to trick the service into bypassing the server validation process.
All of this was bad enough, but it still didn't give the researchers access to other accounts. They were able to redirect authenticated EA players to their servers instead of the official ones, but that wasn't enough to grant access.
But some investigation revealed that logging in via the hijacked subdomain also contained the account's single sign-on (SSO) token, which was enough to grant researchers access to the account.
You can see the full attack, which includes the ability to purchase in-game items, currency and goods through Origin on other accounts, in action below. You're best off watching without sound though, unless you enjoy listening to awful dubstep.
The vulnerable SSO flaw isn't too dissimilar from a vulnerability patched out by Epic at the start of the year — which Check Point Research discovered and chronicled — that allowed hackers to access Fortnite accounts, where hackers could create malicious links via legitimate subdomains.
And the exploits are just another reminder why more users are increasingly wary about multiple competing digital marketplaces. It's not the prospect of competition that's the problem — it's opening multiple attack vectors for your personal information and credit card details. No software is perfect, and there will always be more hackers than engineers.