EA’s Origin user accounts could have been hijacked by savvy hackers EA’S GAMING PLATFORM Origin was found to contain a chain of flaws that, if exploited, could have lead to an account takeover and potentially expose some 300 million users to hacking attempts. Normally, hacking into a person’s gaming account would require a bit of phishing work to get
EA’s Origin user accounts could have been hijacked by savvy hackers
EA’S GAMING PLATFORM Origin was found to contain a chain of flaws that, if exploited, could have lead to an account takeover and potentially expose some 300 million users to hacking attempts.
Normally, hacking into a person’s gaming account would require a bit of phishing work to get login details and then sign into the hijacked account. This relies on someone falling for such a plot and to not notice when their account has been logged into, especially if they have two-factor authentication enabled.
But security boffins at Check Point and CyberInt have found a security hole in the way Origin links to EA subdomains that could lead to account takeovers without hackers needing to go on the hunt for credentials.
As Origin is a cloud-based service running on Microsoft Azure, a lot of its features use unique subdomains that connect to specific instances within the cloud provider to provide certain services,
Connecting the subdomain name to a specific host required the use of a DNS pointer or CHAME record. The researchers cited the example of the eaplayinvite.ea.com domain – presumably used for inviting people to watch an EA Play event online – connecting to the ea-invite-reg.azurewebsites.net host service within Azure. So far so good.
Often those subdomains are used for marketing and promotional purposes, and once done, the instance is shut down and the subdomain is basically abandoned.
However, the researchers found poor domain name service (DNS) practices means, the subdomain and it CNAME record used to direct Origin or EA service to a subdomain’s host aren’t purged.
Microsoft Azure allows users to register a new specific service name that can be connected to an existing domain or subdomain of an organisation once the CNAME has been validated through Azure’s subdomain validation process.
In effect, if hackers caught wind of an abandoned subdomain with an intact CNAME, like the researchers managed to do, they could set-up a unique and potentially malicious service on their own Azure instance with it making use of the hijacked subdomain name and essentially have an EA or Origin service connect to a rogue site or service.
Once that’s done, hackers could monitor request made by legit EA and Origin users and capture cookies and single sign-on authentication tokens.
The process behind this is pretty technical and convoluted, so we’ll leave Check Point’s research to explain how the TRUST mechanism and oAuth protocol implementation of EA and Origin gets abused. But in short, it effectively leads to an account takeover without the need to suck up user names and passwords.
EA has since patched the flaw, but had it been left open, millions upon millions of users could have been vulnerable to having their accounts hijacked.
Carrying out such an attack might seem pretty tricky and that’s probably one of the reasons it wasn’t exploited out in the wild. But it does showcase how online service providers need to have good DNS hygiene and purge domains and all the bits that go with them when they are no longer needed. µ