Vulnerability analysis specialists have discovered a set of security flaws in the Origin online video game store, developed by Electronic Arts (EA). These flaws in the platform would have exposed the accounts of more than 300 million gamers worldwide, as cybersecurity firms Check Point Research and CyberInt reported.
In the reports, experts indicate that
vulnerabilities in Origin would have allowed threat actors to intercept users’
login credentials, perform unauthorized transactions, and download and install
some video
games ( such as The Sims, FIFAM Battlefield, among others) on the
compromised PCs.
Vulnerability analysis experts mention that
reported flaws do not require user interaction for exploitation. Instead, hackers
exploit maintenance-less subdomains and EA Games access tokens,
as well as the TRUST authentication system, which is part of Origin login system.
If exploited, these flaws allow threat actors to take control of users’
accounts, steal information and make purchases on the platform.
Origin is part of EA’s online platform, and
allows users to find friends, join games and manage their profiles; it also
allows players to buy and play games for various platforms. A successful attack
would even allow hackers to steal information from the victim’s payment cards.
The first stage of the attack is to abuse an
abandoned subdomain (ea-invite-reg.azurewebsites.net). “Using an Azure account we were able to
register this subdomain as a service from our web application, which allowed us
to monitor requests from legitimate EA users”, the experts mentioned. Then
the second stage of the attack begins, in which hackers abuse EA access tokens
and the TRUST authentication mechanism.
According to the vulnerability analysis experts
from the International Institute of Cyber Security (IICS), EA received the
vulnerability report and is working on a security update to correct the
inconveniences. In addition, the platform recommends that users implement
two-factor authentication to access their accounts; among other measures, EA
remembers that it is best to download content only from the official website.
