Among various different platforms that distribute games, EA Origins is one such platform that features titles like the Dragon Age series, Battlefield, and The Sims.
According to the reports, EA patched the issue, although the security flaw left as many as 300 million user accounts exposed to hijacking. Rather than collecting usernames and passwords of the gamers, the exploit would have allowed hackers to break into accounts using Single Sign-On tokens instead.
These access tokens work just like passwords allowing players to gain access to their accounts using generated codes. A similar security flaw also occurred in Facebook and the game Fortnite earlier this year, and so, this is definitely not the first instance of such vulnerability.
“EA’s Origin platform is hugely popular, and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users’ accounts,” Oded Vanunu, head of products vulnerability research for Check Point, said in a statement Wednesday.
Instead of compromising gamers’ accounts using phishing techniques, many have turned to pilfer these access tokens. Rather than having people to enter their account information on a website, they can gather tokens without input from the account owner. Malicious coding is enough to take information and squirrel it away for use by anonymous parties. CTO and Bugcrowd founder, Casey Ellis also commented on the situation.
The security researchers were able to take control of an EA subdomain under the URL “eaplayinvite.ea.com”, which was an inactive domain hosted on Microsoft’s Azure cloud service. Check Point and CyberInt’s researchers successfully requested to take over the inactive domain from Azure and turned the page into a phishing trap.
“We had the vulnerabilities under control so no other party could have exploited them during the period it took EA to fix,” Alexander Peleg, CyberInt’s head of cyber operations, said in an email. Both CyberInt and Check Point reached to EA to fix the flaw on 19 February, and the company said it fixed the issue within three weeks. “Protecting our players is our priority,” Adrian Stone, EA’s director of game and platform security, said in a statement provided by the security researchers. “As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues.”