Origin Security Vulnerability Could Have Affected 300 Million Players

Game Rant

By Derek Nichols

Published Jun 27, 2019

Security researchers discover a major security flaw on EA Origin that allow hackers to obtain player information without first needing their username or password.

So far, 2019 hasn't quite been the year EA likely envisioned it would be. Along with the disappointing state that Anthem currently finds itself in, the company has once again found itself at the center of the swirling storm that is loot boxes thanks to one of its executives standing up for the practice and calling them surprise mechanics. Unfortunately, the bad news doesn't stop there as a new and very serious vulnerability has been found inside of its PC storefront, EA Origin.

According to security researchers from Check Point and CyberInt, EA Origin contained a flaw that could have allowed hackers to easily obtain user information without first needing to steal usernames and passwords. Instead, hackers could have grabbed a Single Sign-On authorization token, which would have given them complete control. These tokens are codes generated by the system to keep users logged in and are typically more difficult to steal than user passwords.

During the test, researchers were able to grab an authorization token and take control of an inactive EA subdomain that was still being hosted in Microsoft's Azure cloud service. After gaining control of the site, they turned the page into a giant phishing trap, sending a malicious page to players which looked authentic considering it was coming from what appeared to be an official EA domain. With players more likely to trust the link, the embedded code in the page would steal the authentication tokens and send them to the researchers rather than EA.

While this news is no doubt scary to the millions of players using EA Origin, Check Point and CyberInt reached out to EA with the findings on February 19. EA confirmed that it had the vulnerability fixed within three weeks following the report.

This latest report comes right on the heels of a bit of positive news for the company following CEO Andrew Wilson and other executives giving their performance bonuses to employees instead. In addition, EA also released the full extended gameplay demo of Star Wars Jedi: Fallen Order earlier in the week due to cries of the game being much too linear. The nearly half an hour of gameplay gives a better look at elements inspired by other franchises like level designs of Castlevania and Metroid, as well as the combat from the Souls series. Plus, it features a lengthy AT-AT vehicle combat sequence.

Source: CNet