Researchers chained together two vulnerabilities in the Electronic Arts (EA) gaming platform and developed a proof-of-concept attack that allowed for possible account takeovers. A successful attack could allow a malicious actor to gain access to a user’s account and steal credit card information or fraudulently purchase in-game currency, according a report released Wednesday.
The vulnerability specifically impacted EA’s Origin client gaming platform. Origin is an integral part of EA’s online gaming platform, allowing users to find friends, join games and manage their profiles. It also allows gamers to purchase and play EA’s games across PC and mobile platforms and integrates with services such as Facebook, Xbox Live, PlayStation Network and the Nintendo Network.
Mitigations for the vulnerability has been implemented, but the bug potentially could have bitten EA’s 90 million users of the gaming platform whose titles include FIFA, Maden NFL and Medal of Honor, according to researchers at Check Point Research and CyberInt that collaborated on the research report.
Opening the door to the two-stage proof-of-concept (PoC) attack is EA’s abuse of an abandoned sub-domain (ea-invite-reg.azurewebsites.net) originally linked to a web application server. That URL was accidentally still being used by EA as it re-directed traffic to one of the company’s user registration servers (eaplayinvite.ea.com).
“During CyberInt’s research, though, [it] found that the ea-invite-reg.azurewebsites.net service was not in-use anymore within Azure cloud services, however the unique subdomain eaplayinvite.ea.com still redirect to it using the CNAME configuration,” Check Point researchers wrote.
CNAME, or a canonical name record, is a resource record in the Domain Name System that maps two services from a single IP address.
“The CNAME redirection of eaplayinvite.ea.com allows us to create a new successful registration request at our own Azure account and register ea-invite-reg.azurewebsites.net as our new web application service. This allowed us to essentially hijack the subdomain of eaplayinvite.ea.com and monitor the requests made by EA valid users,” researchers said.
That opens the door for stage two of the attack, which takes advantage of EA’s use of authentication tokens in conjunction with the oAuth Single Sign-On (SSO) and TRUST mechanism that is built into EA’s user login process, according to researchers.
“Having control over the eaplayinvite.ea.com subdomain led our research team to a new goal of figuring out how we can abuse the TRUST mechanism,” researchers wrote. “The TRUST mechanism exists between ea.com and origin.com domains and their subdomains. Successfully abusing the mechanism enabled our research team to manipulate the oAuth protocol implementation for full account take-over exploitation.”
OAuth is a commonly used authorization protocol. OAuth issues access tokens to clients by a server and acts as a decentralized method to allows users to use the same digital identity across the internet. It, along with OpenID, are perhaps best known as the easiest way for users to log-in to sites using passwords from providers like Google or Twitter without having to worry about the main site’s credentials from being used.
Researchers say there are parallels to a similar issue that Epic Games faced in January with its Fortnite gaming platform. In that instance, a leaky Fortnite single sign-on mechanism could have allowed hackers to access game accounts. In both the case of EA and Epic Games, an attacker could create a malicious link using a legitimate sub-domain to trigger the attack.
In the case of EA, researchers said they were able to redirect an authenticated EA player to its booby-trapped server. “We were able to do this after they visited the oAuth SSO authentication iframe [embedded in a spoofed EA gaming webpage] and so were then able to log the incoming request within our servers,” researchers noted.
Researchers devised a way to pull token data from the SSO oAuth process.
“The token was sent to our servers within the HTTP Referer header since the player was redirected through several oAuth SSO URLs using our malicious Iframes. The last redirection on signin.ea.com redirected the player to our server using window.location JavaScript function. It contained the SSO token of the player and allowed us to take control over it,” they said.