Last Thursday, security firms CheckPoint Software and CyberInt disclosed details of a collection of vulnerabilities found within the login process of the Origin online gaming platform operated by Electronic Arts. They worked with EA to resolve them.
TL DR: EA Origin users should enable 2 factor authentication (see this link for details) and only use the official Origin website to download or purchase games. Also, please make certain the version of the Origin client you are using is the most up to date; version 10.5.38 for PC adds additional security measures. Finally; always be cautious when receiving links from unknown sources:
How could have attackers exploited these vulnerabilities?
EA use Microsoft’s Azure to provide global access to for players to games, allowing the purchase of games and to access their Origin social network. The chain of vulnerabilities did not require the user to hand over any login details but instead made use of authentication tokens, oAuth single sign-on (SSO) and the TRUST mechanism used during the login process. Definitions of these terms are provided in the glossary below.
Various services offered by EA are each present on a separate sub-domain e.g. eaplayinvite.com But the researchers found one which no longer pointed to the correct DNS record ea-invite-reg-azurewebsites.net With an empty domain name now known the researchers purchased it.
Due to some issues discovered by the researchers within the TRUST login mechanism; they re-directed where the SSO token pointed to; namely their newly acquired domain. With this accomplished the researchers could access an Origin account of their choice and the data it contains and could buy games but charge the original user of the account for these purchases.
What can we learn from this disclosure?
For online accounts operated by corporations; they need to carry out validation checks on the login pages their users interact with. The domains used by their services should also be checked to make certain they don’t contain now unused domains.
For the users of these services; enabling two-factor authentication will mean new devices accessing an account will be prompted for a security code an attacker will not have access to. Parents and children should be aware that cyber criminals will attempt to trick them with legitimate looking links. Please only access the official pages by typing the address into your browsers address bar (or make use of a saved known safe bookmark).
After a user logs in using their username and password; the current logged in user and various attributes of your account e.g. what type of content they can access are stored within a token (e.g. a JSON web token) in encrypted form and then sent to the client (the device the user is accessing the service from). The token (similar to ID/access card) is stored on the client device and can be presented at any time to the server replacing the need to enter a username and password to verify the user’s identity. The server will validate the token before granting the user access to the requested service.
When a user logs onto a device or service; their identity can be validated using a username and password and possibly another factor of authentication e.g. a code sent to their phone or email address. Once validated; the user is provided with a token which can be shared with a central user authentication service known as single sign-on. This service can then act on the user’s behalf authenticating them to multiple services or applications without the need to request further usernames or passwords. Online examples would Google or Facebook accounts used to log into other accounts/services using the same already entered credentials.