CATEGORIES
home News

Major EA Origin Gaming Client Security Exploit Potentially Left 300 Million Users Exposed

by Brandon HillWednesday, June 26, 2019, 12:08 PM EDT
ea origin access
Another day, another report on vulnerabilities in the software that many of us use on a daily basis. This time around, researchers from Check Point and CyberInt rallied together to detail a number of exploits that they discovered in the Origin client used to deliver games to consumers. Origin is an Electronic Arts property.

What makes the latest Origin exploit rather dangerous is the fact that it does not require intervention from the user with respect to handing over their logins or passcode information. In this case, the exploit allows an attacker to steal tokens associated with oAuth Single Sign-On (SSO) and TRUST routines in place with the EA Games user login process.

As a result, Check Point and CyberInt were able to hijack a number of ea.com and origin.com subdomains to perform a full takeover of user accounts. The researchers were able to hijack eaplayinvite.ea.com, which had previously been an inactive subdomain hosted on Microsoft Azure.

“EA’s Origin platform is hugely popular; and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users’ accounts,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point. “Along with the vulnerabilities we recently found in the platforms used by Epic Games for Fortnite, this shows how susceptible online and cloud applications are to attacks and breaches.” With access to the subdomain, the research team was able to setup a phishing page masquerading as an official EA site – using an official EA domain – to steal access tokens.

For its part, EA thanked the researchers for discovering the vulnerabilities. Given that Check Point and CyberInt are reputable security research firms that don’t have an axe to grind, they were able to disclose the vulnerabilities to EA, giving them time to address the issues, before going public with their findings.

“Protecting our players is our priority,” said Adrian Stone, Senior Director for Game and Platform Security at EA. “We [have] engaged our product security response process to remediate the reported issues. Working together under the tenet of Coordinated Vulnerability Disclosure strengthens our relationships with the wider cybersecurity community and is a key part of ensuring our players stay secure.”

According to EA, it has over 300 million registered gamers around the world using its services.

Tags:  security, Electronic Arts, ORIGIN, EA, (NASDAQ:EA), security-breach
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment