Game Over for Hackers: Critical Account Takeover Vulnerability Discovered and Patched in EA Games

Gaming is a massive industry that is worth about $138 billion worldwide. Trade in digital in-game items alone will generate $50 billion in worldwide consumer spending by 2022.

As a result of the industry’s recent growth, gaming companies have become extremely attractive and lucrative targets for attacks. Threat actors attempt to hijack players’ online identity for personal gain, steal personal identifying information, login credentials and credit-card details, in addition to fraudulent in-game purchasing.

Cyberint puts its white hat on and finds vulnerabilities in EA gaming platform

To keep digital industries safe, here at CyberInt, we routinely step into cyber attackers shoes to find vulnerabilities. Last year we found that 96% of Fortune 500 companies have poor security hygiene when it comes to managing their subdomains, a phenomenon we coined as ‘subdomain hijacking’. As part of our ongoing research, we, along with Check Point Software Technologies Lmtd, discovered that EA also shared this phenomenon, as we uncovered a simple and easy entry point for threat actors. These vulnerabilities, once exploited could have led to the takeover of a tens of millions of accounts utilizing EA’s SSO user authentication process.

EA’s Origin client is insanely popular, and includes multi-million player hits such as APEX Legends, Bejeweled, Star Wars, ANTHEM, FIFA, NFL, NBA. If left unpatched, these flaws would have enabled hackers to hijack and exploit hundreds of millions of users’ accounts, an attraction point for threat actors as even small amounts of money per user can add up to significant gains, as well as fame.

We responsibly disclosed the vulnerabilities as soon as we proved its feasibility, allowing EA to fix and update their application and processes without awakening threat actors’ instinct to hack gamers. Now that EA’s 300 million players are safe, we are going public with the discovery. Here is a short summary of our findings.

Account Takeover Vulnerability Part 1: Subdomain hijacking

EA games operates several domain names to provide global access to various services for their multi-million player audience, for example ea.com and origin.com.

As a standard industry practice for seamless customer experience across their different applications and domains, EA engineers have enabled token sharing from the main domain to associated subdomains. This way a user doesn’t have to login each time they enter an EA subdomain.

The Problem: Subdomains no longer in use by EA were still redirecting to EA’s official domain, providing threat actors with a direct path into EA’s environment.

“During our research we found that ea-invite-reg.azurewebsites.net service is no longer in use within Azure cloud services. However, the unique subdomain eaplayinvite.ea.com still redirects to it using the CNAME configuration.”

This allowed us to create a new registration request on EA’s Azure account, hijacking the subdomain eaplayinvite.ea.com.

At this point we were able to monitor the requests made by EA valid users. If we were the real hackers – this would have become our foothold into the company’s digital assets from where we would launch our account takeover attack.

Account Takeover Vulnerability Part 2: Abusing trust mechanism

We then managed to redirect an authenticated EA player to our servers. Next, we wanted to see if we could go further and take advantage of the trust mechanism that exists between ea.com and origin.com domains and their subdomains to fully control a player’s account.

Despite the fact that EA games did not make our lives easy by implementing security measures in line with the best industry practices, we were able to trick users into visiting a malicious landing page that contained the payload, which enabled us to eventually hijack the session.

The problem: With subdomain hijacking and a bit of code, we were ultimately able to hijack a legitimate user session.

EA applies patches

As soon as we disclosed this sub-domain hijacking vulnerability,  EA swiftly responded to our findings. An update was immediately rolled out and patched before vulnerabilities could be exploited by threat actors.

Moreover, EA’s cybersecurity team has significantly strengthened its domain-creation policies across the entire organization to avoid subdomain hijacking in the future.

“Battling hackers is an unending chess match between intelligent, determined people. There have been many notorious breaches, but this is a case where the ‘good guys’ got ahead of the bad guys,” says Alex Peleg, CyberOps Technical Leader at CyberInt.

Digital gaming businesses have to carefully balance user experience and cybersecurity, which is not an easy task. Other gaming organizations should check their vulnerabilities as they relate to subdomain security, tokens and SSO management.

Now that EA addressed the vulnerability and 300 million users are safe, we are going public with the discovery. For all the technical bits of how we were able to hijack a valid EA gamer account, download the full report.