If you are a PC gamer, then you know that there are numerous platforms out there for distributing games … Epic has one, Bethesda has another, Valve has Steam, and CR Projekt Red has GOG. Unfortunately, the large user-base for these platforms makes them a target for security breaches. EA’s Origin Launcher (which features titles such as the Dragon Age series, The Sims, and Battlefield) has become the latest in the attacks, but it just so happens that they caught it just in time. EA has patched the issue, although this flaw left as many as 300 million user accounts exposed to hijacking. Instead of gathering usernames and passwords, the exploit would have allowed hackers to break into accounts using Single Sign-On tokens instead. These access tokens function just like passwords, allowing players to access their accounts using generated codes. This isn’t the first instance of such a vulnerability … a similar issue in Fortnite was discovered earlier this year.
Instead of compromising user accounts with phishing techniques, many have turned to pilfer these access tokens. Rather than have people enter account information on a website, they can gather tokens without input from the account owner. Malicious coding is needed to take the information and hide it away for use by these unknown parties. CTO and Bugcrowd founder Casey Ellis commented on the situation:
“The good news is that this is a vulnerability, not the confirmation of a breach. EA was alerted to the critical vulnerability before it could be exploited by malicious actors.
Gaming companies, like EA, have a tendency to grow rapidly once their games get traction in the market, and speed to market is the natural enemy of security. Security efforts just can’t keep up or often isn’t even considered in the software development lifecycle.
This is an interesting vulnerability chain, taking advantage of issues that we see frequently in the Bugcrowd program: authentication implementation problems, specifically around SAML, and squatted/orphaned domains. This news just goes to show that engaging with the whitehat hacker community to perform attack surface discovery, and maintain that feedback loop on an ongoing basis, is the only way to identify these types of issues as they are inevitably introduced into the wild.”
Cybersecurity researchers at CyberInt and Check Point took over inactive Microsoft Azure URL eaplayinvite.ea.com. The researchers turned the innocuous domain into a phishing trap. Players were much more likely to trust the EA domain link in the documentation. The code in the website allowed the researchers to steal access tokens intended for the EA servers and divert the information to the researchers. The accounts now compromised, CyberInt and Check Point contacted EA in mid-February regarding the security flaw. EA declared it fixed the issue in the span of three weeks.
Director of Game and Platform Security Adrian Stone gave a statement regarding the issue:
“Protecting our players is our priority. As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues.”
If there is one thing you can do to protect yourself, it’s always to enable options like 2-Factor Authentication — if available. In today’s digital age, usernames and passwords are no longer sufficient enough to protect your accounts (I should know as it has happened to me in the past).
As always, stay with us at GamingLyfe for more news.