EA Origins is one in every of many various platforms for distributing video games. It options titles such because the Dragon Age sequence, The Sims, and Battlefield. Sadly, the massive userbase makes the platform a goal for safety breaches. EA patched the difficulty, though this flaw left as many as 300 million consumer accounts uncovered to hijacking. As an alternative of gathering usernames and passwords, the exploit would have allowed hackers to interrupt into accounts utilizing Single Signal-On tokens as a substitute. These entry tokens operate equally to passwords, permitting gamers to entry their accounts utilizing generated codes. This isn’t the primary occasion of such a vulnerability; Examine Level found an analogous difficulty in Fortnite earlier this yr.
As an alternative of compromising consumer accounts utilizing phishing strategies, many have turned to pilfering these entry tokens. Relatively than have folks enter account info on an internet site, they’ll collect tokens with out enter from the account proprietor. Malicious coding is adequate to take the knowledge and squirrel it away to be used by unknown events. CTO and Bugcrowd founder Casey Ellis commented on the scenario.
The excellent news is that it is a vulnerability, not the affirmation of a breach. EA was alerted to the important vulnerability earlier than it might be exploited by malicious actors.
Gaming firms, like EA, generally tend to develop quickly as soon as their video games get traction available in the market, and velocity to market is the pure enemy of safety. Safety efforts simply can’t sustain or usually isn’t even thought of within the software program growth lifecycle.
That is an attention-grabbing vulnerability chain, benefiting from points that we see often within the Bugcrowd program: authentication implementation issues, particularly round SAML, and squatted/orphaned domains. This information simply goes to point out that partaking with the whitehat hacker neighborhood to carry out assault floor discovery, and preserve that suggestions loop on an ongoing foundation, is the one approach to determine some of these points as they’re inevitably launched into the wild.
Cybersecurity researchers at CyberInt and Examine Level took over inactive Microsoft Azure URL eaplayinvite.ea.com. The researchers turned the innocuous area right into a phishing lure. Gamers have been more likely to belief the EA area hyperlink in documentation. Code within the web site allowed the researchers to steal entry tokens meant for the EA servers and divert the knowledge to the researchers. The accounts now compromised, CyberInt and Examine Level contacted EA in mid-February concerning the safety flaw. EA declared it fastened the difficulty within the span of three weeks.
Director of Recreation and Platform Safety Adrian Stone gave a press release to cnet concerning the difficulty:
“Defending our gamers is our precedence. On account of the report from CyberInt and Examine Level, we engaged our product safety response course of to remediate the reported points.”
All the time, all the time, all the time use choices like 2-Issue Authentication if it’s obtainable. I’ve discovered this the exhausting means. Usernames and passwords are not adequate this present day to guard your accounts.