Security Flaws in Electronic Arts’s Origin Platform
Jun 26, 2019 / Check Point
Today’s kids and kids-at-heart are arguably more addicted to computer games than ever before, and some of the most popular are sports themed. But for cyber criminals the only sport they are addicted to is exploiting vulnerabilities so that private information reaches the end-of-level baddie.
In the last few weeks, Check Point Research has combined forces with CyberInt to identify a chain of vulnerabilities that, once exploited, could have led to the takeover of millions of player accounts within the world’s second largest gaming company, EA Games. The potential damage could have involved an attacker gaining access to a user’s credit card information and the ability to fraudulently purchase in game currency on behalf of the user.
CyberInt and Check Point immediately notified EA Games of these security gaps and together leveraged their expertise to support EA in fixing them to protect their gaming customers.
Origin: The EA Games Platform
With over 300 million users and revenues of around $5 billion, EA Games is the world’s second largest gaming company market capitalization and boasts household gaming titles such as FIFA, Maden NFL, NBA Live, UFC, The Sims, Battlefield, Command and Conquer and Medal of Honor in its portfolio. All these games and more rest on its self-developed Origin gaming platform that allows users to purchase and play EA’s games across PC and mobile.
Origin also contains social features such as profile management, networking with friends with chat and direct game joining along with community integration with networking sites such as Facebook, Xbox Live, PlayStation Network, and Nintendo Network.
Origin and the Vulnerabilities Found
In a similar manner to Check Point Research’s previous discoveries into another hugely popular online game, Fortnite, the vulnerabilities found in EA’s platform similarly did not require the user to hand over any login details whatsoever. Instead, it took advantage of EA Games’ use of authentication tokens in conjunction with the oAuth Single Sign-On (SSO) and TRUST mechanism that is built into EA Game’s user login process.
In this case, EA Games is a cloud-based company that uses Microsoft Azure to host several domain names such as ea.com and origin.com in order to provide global access to various services for their players, including creating new game accounts, connecting to the Origin social network and purchasing more games in EA’s online store.
How the Attack Works
Each service offered by EA is registered on a unique subdomain address, for example, eaplayinvite.ea.com, and has a DNS pointer (A or CNAME record) to a specific cloud supplier host, e.g. ‘ea-invite-reg.azurewebsites.net’, which runs the desired service in the background, in this case a web application server.
Due to misconfigurations in the Azure cloud platform, however, EA had changed the ‘ea-invite-reg-azurewebsites.net’ CNAME record so that the subdomain, ‘eaplayinvite.com’ no longer pointed to it. This meant that ‘eaplayinvite.ea.com’ now lead to a dead link. It was thus very straight forward for our team to purchase the ‘ea-invite-reg.azurewebsites.net’ CNAME record instead and have eaplayinvite.com point to our own cloud account. As we now controlled this sub-domain, any user accessing this url could now unknowingly be routed through our team’s cloud hosting account.
Stage Two of the Attack
The next step was to understand how EA games had configured the oAuth protocol and provides its users with a Single Sign-on (SSO) mechanism. This SSO mechanism essentially exchanges the user’s login credentials (username and password) with a unique SSO Token that is then used to authenticate the user across EA’s network without them having to re-enter their login details.
After discovering some issues in the way EA had implemented the TRUST mechanism, our team was able to redirect where the SSO Token is sent to and request it to be sent to our EA’s hijacked sub-domain of ‘eaplayinvite.ea.com’.
The Damage Caused
With the access token now in the hands of the attacker, he can now log in to the user’s Origin account and view any data stored there, including the ability to buy more games and accessories at the user’s expense. Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast.
It is important that organizations with customer facing online portals, and such like, carry out proper validation checks on the login pages they ask their users to access. They must also perform thorough and regular hygiene checks on their entire IT infrastructure to ensure they have not left outdated or unused domains online. When attackers are constantly on the lookout for the weakest link in your company’s online presence, these often unknown and unprotected pages can easily serve as a backdoor to your enterprise’s main network.
It is also strongly advised for users to enable two-factor authentication. By doing so, and when logging into their account from a new device, the user is required to enter a security code that is then sent via email to the account owner.
For consumers, it is highly advised to only use the official website when downloading or purchasing games. It is also important that parents make their children aware of the threat of online fraud and warn them that cyber criminals will do anything to gain access to personal and financial details which may be held as part of a gamer’s online account.
The underlying takeaway, however, is to always be vigilant when receiving links sent from unknown sources. After all, for the attack to be successful many phishing attacks do not require any further action from the user other than clicking on the link.
With so much data stored online, especially in the cloud, the way that data is accessed must be thoroughly reviewed and improved on a regular basis. Despite regulations such as GDPR, data breaches via account takeovers still occur on an almost daily basis and the damage they cause can easily impact on whether or not an organization is able to game on.
Latest BlogsSee all blog posts
The Fourth Annual March Hackness Phishing Bracket
Mar 2019 / Area1
Contrast Security recognised as the only "VISIONARY" in the GARTNER MAGIC QUADRANT for application security testing for 2019
Apr 2019 / Contrast
Understanding Microsoft's OAuth2 implementation - Part 3: Using Microsoft Graph API
Apr 2019 / Swimlane