Millions of Electronic Arts (EA) player accounts were recently at risk of being taken over by hackers thanks to a “chain of vulnerabilities,” security researchers say.
In a worst-case scenario, cybercriminals could exploit flaws to gain access to a user’s credit card information and fraudulently purchase in-game currency while posing as the legitimate user. The vulnerabilities did not require a user to hand over passwords, experts alleged.
The issues were found by researchers from Check Point Research and CyberInt—two cybersecurity companies headquartered in Israel—and swiftly reported to the video game goliath.
The flaws impacted EA’s gaming client, Origin, which provides access to games, social features and downloadable content to the firm’s 300 million registered players. The service is host to a slew of popular games, including FIFA 19, Battlefield V, The Sims and Apex Legends.
“If a hacker had exploited the flaws, they could have taken over a legitimate Origin user’s entire account,” Oded Vanunu, Check Point’s head of product vulnerability research, told Newsweek prior to the release of the joint research report, now available online.
“They [hackers] would be able to lock the real user out by changing passwords, impersonate them to online friends and access personal account data,” the chief researcher added.
The bugs were never abused, the experts said. Instead, the two firms developed a concept and sent data of the vulnerabilities to EA, which has since patched the set of vulnerabilities. “EA responded immediately and addressed the issues as a priority,” Vanunu told Newsweek.
According to the Check Point, cybercriminals could have taken advantage of misconfigurations in the Microsoft Azure cloud platform and subdomains allegedly “abandoned” by EA.
In a second stage of the attack, hackers could access sign-in tokens due to issues in a system designed to let users on EA’s platform enter their accounts without having to re-enter login details every time. Experts said this method is increasingly being used by criminals.
“With the access token now in the hands of the attacker, [he or she] can now log in to the user’s Origin account and view any data stored there, including the ability to buy more games and accessories at the user’s expense,” Check Point’s analysis said. “Needless to say that along with this massive invasion of privacy, the financial risks and potential for fraud is vast.”
An EA spokesperson said protecting players is a priority.
“This was reported to EA privately through our Coordinated Vulnerability Disclosure program. As soon as the issue was raised, EA [worked] to resolve the vulnerability reported,” read a statement sent to Newsweek via email. “We also closely monitored the situation and were able to verify that the vulnerability was not exploited and no player information was exposed.”
It is not the first time Electronic Arts has resolved a cybersecurity bug with Origin. In April, as reported by TechCrunch, experts from Underdog Security found a flaw that could be abused to dupe gamers using Windows machines into running malicious code on their computer.
A Check Point representative told Newsweek the newly-disclosed bugs were separate from those unearthed by Underdog, which could also be exploited for account takeovers.
“Although this vulnerability is fixed, we recommend users employ two factor authentication,” Vanunu said when asked how users can stay protected. “Only use the official EA website when purchasing games, and not via links from known or unknown sources.”