EA Origin exploit potentially exposed 300 million users to attack

The flaws are patched but they showcased the dangers of vulnerabilities in interconnected authentication systems

Origin gift cards

A chain of vulnerabilities in Electronic Arts' (EA) Origin PC gaming client which could have potentially impacted 300 million global users have been discovered by security researchers.

Check Point Research and CyberInt discovered the vulnerabilities which could have seen attackers compromise a player's session and completely take over an Origin account without obtaining any login credentials.

Origin is one of the biggest PC gaming clients around, with blockbuster titles such as FIFA, Madden, Battlefield, The Sims and Star Wars Battlefront on its roster. It has 300 million global users that could have been vulnerable to the exploits.

The problems have now been patched and there is no evidence they were ever exploited by attackers. Malicious actors could have taken advantage of abandoned subdomains and EA Games' use of authentication tokens in conjunction with the OAuth Single Sign-On (SSO) and TRUST mechanism built into EA Game's user login process.

The researchers were able to show EA how the exploitation of these interconnected systems could lead to account compromise without users handing over login credentials.

"EA's Origin platform is hugely popular; and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts," said Oded Vanunu, head of products vulnerability research for Check Point. "Along with the vulnerabilities we recently found in the platforms used by Epic Games for Fortnite, this shows how susceptible online and cloud applications are to attacks and breaches.

"These platforms are being increasingly targeted by hackers because of huge amounts of sensitive customer data they hold," he added.

Attacks on gaming clients and marketplaces are some of the most lucrative around, according to Itay Yanovski, co-founder and SVP strategy for CyberInt. This is because sensitive details from a mass customer base can be bought and sold on dark web market places and used for criminal activity.

"Protecting our players is our priority," said Adrian Stone, senior director, game and platform security at Electronic Arts. "As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues.

"Working together under the tenet of Coordinated Vulnerability Disclosure strengthens our relationships with the wider cybersecurity community and is a key part of ensuring our players stay secure." 

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cisco to acquire threat intelligence provider Kenna Security
Acquisition

Cisco to acquire threat intelligence provider Kenna Security

14 May 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

14 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
What’s next for the education sector?
Whitepaper

What’s next for the education sector?

14 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell XPS 17 (2021) review: A big laptop for big jobs
Laptops

Dell XPS 17 (2021) review: A big laptop for big jobs

10 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021