Plugged before pwnage
Vulnerabilities in Electronic Arts’ Origin gaming platform that left the door open to account hijacking have been fixed.
A chain of vulnerabilities created a possible mechanism for an attacker to view a user’s credit card information and take over a target’s Origin account to fraudulently purchase in-game currency, among other exploits.
The problem – discovered by a team of researchers from Check Point and CyberInt – stemmed from flaws in EA’s authentication system and login process.
More specifically, EA’s use of authentication tokens in conjunction with the OAuth Single Sign-On (SSO) and TRUST mechanism was flawed.
The proof-of-concept attack developed by researchers relied, in part, on hijacking a redundant subdomain set up by EA on Azure.
Even subdomains no longer used by EA were still redirecting to EA’s official domain, offering avenues to exploit within EA’s environment.
“During our research we found that ea-invite-reg.azurewebsites.net service is no longer in use within Azure cloud services,” CyberInt explains in a blog post. “However, the unique subdomain eaplayinvite.ea.com still redirects to it using the CNAME configuration.”
After creating a new registration request on EA’s Azure account, hijacking the subdomain eaplayinvite.ea.com in the process, the researchers were able to monitor requests made by valid EA users.
This brought the second part of the attack into play.
Researchers were able to abuse TRUST mechanism exists between ea.com and origin.com domains and their subdomains in order to manipulate the OAuth process, creating a means to steal tokens and hijack accounts in the process.
Daniela Perlmutter, a security researcher at CyberInt, explains: “Despite the fact that EA games did not make our lives easy by implementing security measures in line with the best industry practices, we were able to trick users into visiting a malicious landing page that contained the payload, which enabled us to eventually hijack the session.”
A YouTube video put together by Check Point demonstrated the proof of concept hack.
The attack has some limitations, but was nonetheless exploitable. Fortunately, the games developer already blocked the threat before it was abused to cause any harm.
The Daily Swig has contacted EA for comment.
It’s in the game
This isn’t the first time that the online games behemoth – publisher of FIFA, The Sims, and Medal of Honor, among others – has fallen victim to a web security vulnerability.
Last month, an independent security researcher showed how a URI argument injection flaw in Qt – the open source GUI toolkit behind Origin – could be abused to force the gaming client into loading a backdoored plugin.
It came just a month after the news that a vulnerability in the Origin desktop client left millions of Windows PC gamers vulnerable to pwnage.
Researchers Dominik Penner and Daley Bee of Underdog Security discovered and reported the remote code execution vulnerability to EA, which acted promptly to patch it.