EA Rushes to Fix Cloud Flaws
Written by Karolis Liucveikis on
EA, undoubtedly one of the world’s major players in the games industry in terms of both releases and sales, is not immune to security issues, like with any company reliant on the Internet. The company has a reputation for generating bad press, whether from business practices or unfulfilled promises relating to games. However, when a company in conjunction with security firms finds and fixes a security flaw that would potentially affect millions of customers negatively a certain amount of positive acknowledgment should be given. In this instance, the flaws which were discovered by security firms Check Point and CyberInt consisted of a chain of vulnerabilities which if exploited, could result in the attacker taking over millions of user accounts.
In both a blog post and a press release, researchers detail exactly the flaw and the possible ramifications if exploited. The chain of vulnerabilities discovered by the researchers exploits EA Games' use of authentication tokens in conjunction with the oAuth Single Sign-On (SSO) and trust authentication mechanism that is built into the login process. When exploited a threat actor would be able to hijack a player’s session resulting in compromise and at worst complete account takeover. Further, if exploited correctly a complete account takeover would give the threat actor access to a wealth of information including credit card details. These details could then be used to fraudulently by in-game currency on behalf of the compromised user which could be used by the threat actor. Most worryingly, if the flaw was exploited in the wild before it was patched would require no information been handed over to the threat actor by the user.
In summary, the flaw resided in a misconfiguration in the cloud environment. In an interview with ZDNet, Oded Vanunu, head of products vulnerability research for Check Point, said that,
“What we saw was a gap in a misconfigured cloud environment. So what we added was a subdomain which had officially been terminated by EA, but in the application level, the subdomain level was still there. We could open an instance on Azure and call it the same name and the application still calls the domain. There was still Javascript from these domains all over which we identified and we used them to manipulate the threat,”
Once the domain was set up researchers examined Origin's, EA’s digital download platform, single sign-on mechanism and found it exchanged the user's login credentials with a unique key that authenticates it to the EA network, this could all be done without needing to re-enter credentials. By doing this and abusing EA’s implemented trust mechanism, it became possible to redirect users to login via the hijacked subdomain. To exploit this in a real-world scenario a threat actor could make use of a phishing attack, a social engineering attack traditionally used to steal credentials from victims, to use Origin’s own communications platform or another chat application to trick the user into clicking the link.
Even the most skeptic user could fall for this as they believe the link to be authentic coming directly from what is Origin’s own communications platform. The ultimate consequence of such an attack would be allowing the attacker access to all the user’s personal data. This data includes the real name, date of birth, and access to payment information or could even result in the account been sold. Fortunately, EA was quick to patch the flaws according to the researchers' recommendations with Adrian Stone, senior director for game and platform security at EA, stating that
“As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues,”
Gamers a Target
Gamers, as well as platforms selling games to the publishers themselves, are increasingly becoming targets for threat actors. There are multiple reasons for this but one such reason is how lucrative gaming goods, such as skins, have become on both official and unofficial marketplaces. If there is quick cash to be made with relative ease it almost instantly means you are a target for a hacker, be they part of a larger criminal organization or someone just looking to make money from stealing what other paid for or earned. In December 2018, the BBC published an article on how teenage hackers were able to make thousands of pounds a week stealing private gaming accounts and selling them on to those looking to get a leg up on the competition in a less than ethical way.
A mix of a lucrative market and those looking to unlock easy mode on their playtime will continue to fuel the flames and gamers and their parents if under certain ages should be aware that they are targets. To that extent, there are measures that can be taken to improve your security posture online. Perhaps the first, and easiest to implement, is enabling two-stage authentication. Having a robust password or downloading a password manager is also another tried and tested way to help prevent accounts been compromised. In the flaw discussed above which has already been patched, exploitation of that flaw would require a knowledgeable hacker to exploit. That does not mean that security when gaming should be taken for granted. A lot of other less experienced hackers are using tried and tested phishing techniques to gain access to accounts, be knowledgeable about the risks can help prevent the frustration and anger of losing an account you spent ages gaming on. Rather let the frustration come from the games themselves than somebody looking to make easy money.
▼ Show Discussion