Security holes in EA Origin platform exposed 300 million gamers to account takeover attacks

• The vulnerabilities in EA’s Origin platform could be exploited by abusing authentication tokens and related trust mechanisms.
• Origin is known for digital distribution of some of the popular video games published by EA.

Origin, the digital distribution platform by video game company Electronic Arts (EA), was found containing numerous vulnerabilities that could have led to account takeover attacks on its users. The vulnerabilities were identified by security researchers from Check Point Research and CyberInt. According to the researchers, certain Azure cloud services used for the platform could be exploited for account takeovers.

The big picture

• Researchers identified a subdomain, eaplayinvite.ea[.]com, that can be hijacked by any Azure users.
• Once compromised, a trust mechanism present in the subdomain could be abused for manipulation of the OAuth protocol implemented by EA. The protocol is used for authenticating users in the platform.
• After exploitation, it could allow a complete takeover of accounts belonging to users. The researchers hint that attackers could have used the user’s credit card information to make purchases on behalf of the user.
• In a detailed blog, the researchers described proof-of-concept (PoC) exploits that can successfully perform account takeovers.

Trapping the subdomain

The researchers mention how the Azure services had a vulnerable subdomain. “The CNAME redirection of eaplayinvite.ea.com allows us to create a new successful registration request at our own Azure account and register ea-invite-reg.azurewebsites.net as our new web application service. This allowed us to essentially hijack the subdomain of eaplayinvite.ea.com and monitor the requests made by EA valid users,” the researchers wrote.

EA has fixed these vulnerabilities, which were notified by CyberInt and Check Point. Both the firms assisted EA in resolving them.