EA Fixes Origin Game Platform To Prevent Account Takeovers
Security researchers discovered vulnerabilities in the Origin gaming platform from Electronic Arts (EA) that could have allowed an attacker to take over the accounts of as many as 300 million users.
To pull this attack off, attackers would only have needed victims to click on a legitimate referral link to EA's Origin game distribution platform.
Hijacking a subdomain
Researchers at Check Point and CyberInt found what appears to be an oversight from the gaming company, where one of their subdomains redirected to an abandoned host on Microsoft’s Azure cloud computing service that was free to register by anyone.
"Generally, each service offered by a cloud-based company such as EA Games is registered on a unique subdomain address, for example, eaplayinvite.ea.com, and has a DNS pointer (A or CNAME record) to a specific cloud supplier host, ea-invite-reg.azurewebsites.net, which runs the desired service in the background, in this case a web application server."
Since it was no longer in use, the researchers were able to register "ea-invite-reg.azurewebsites.net" as the name of their own web application service on Azure. Since the CNAME record was still active, the researchers received all requests made by EA users through "eaplayinvite.ea.com."
Bypassing limitations
Hijacking the subdomain was not enough to pull off the account takeover attack, though, but it helped the researchers look for a way to leverage this kind of access in a way that would benefit a hacker.
Looking at EA's implementation for the single sign-on (SSO) mechanism responsible for handling authentication across EA's online services allowed researchers to learn how it worked.
"As part of a successful authentication process with EA global services via answers.ea.com, an oAauth HTTP request is sent to accounts.ea.com in order to get a new user SSO token, then the application should redirect it through signin.ea.com to the final EA service called answers.ea.com to identify the user," Check Point explains in a technical analysis of the attack.
By modifying the "returnURI" parameter in the HTTP request to the hijacked subdomain, it was possible to learn the EA service address the SSO token was generated for.
Manipulating the requests to get the token sent to the hijacked domain did not work, though, because of some security implementations on EA's part.
One of them was to check if the request came from a trusted Origin domain by looking at the HTTP referer header. Bypassing this validation required embedding an iframe with a trusted domain to initiate the authentication request.
Another limitation was a jQuery function involved in the token redirection process. Unless the destination server, "eaplayinvite.com" in this case, is trusted the token redirect fails.
The researchers found that a request to signin.ea.com that contained the "redirectback" parameter. The effect was a redirection of authenticated EA players to the researchers' server without the victim's SSO token; but this enabled logging incoming requests, which included the access token in the HTTP referer value.
Armed with the authentication value, an attacker could access EA user accounts as if they were the owners. This also allows stealing the victim's session ID and using it with the hacker's credentials to bypass authentication and purchase virtual goods with the victim's payment card.
The researchers demonstrate in the video below the impact of these vulnerabilities should a malicious actor have found and exploited them:
Gloss