Origin, an EA platform, exposes data of 300 million users

Vulnerability analysis specialists have discovered a set of security flaws in the Origin online video game store, developed by Electronic Arts (EA). These flaws in the platform would have exposed the accounts of more than 300 million gamers worldwide, as cybersecurity firms Check Point Research and CyberInt reported.

In the reports, experts indicate that vulnerabilities in Origin would have allowed threat actors to intercept users’ login credentials, perform unauthorized transactions, and download and install some video games ( such as The Sims, FIFAM Battlefield, among others) on the compromised PCs.

Vulnerability analysis experts mention that reported flaws do not require user interaction for exploitation. Instead, hackers exploit maintenance-less subdomains and EA Games access tokens, as well as the TRUST authentication system, which is part of Origin login system. If exploited, these flaws allow threat actors to take control of users’ accounts, steal information and make purchases on the platform.

Origin is part of EA’s online platform, and allows users to find friends, join games and manage their profiles; it also allows players to buy and play games for various platforms. A successful attack would even allow hackers to steal information from the victim’s payment cards.

The first stage of the attack is to abuse an abandoned subdomain (ea-invite-reg.azurewebsites.net).  “Using an Azure account we were able to register this subdomain as a service from our web application, which allowed us to monitor requests from legitimate EA users”, the experts mentioned. Then the second stage of the attack begins, in which hackers abuse EA access tokens and the TRUST authentication mechanism.

According to the vulnerability analysis experts from the International Institute of Cyber Security (IICS), EA received the vulnerability report and is working on a security update to correct the inconveniences. In addition, the platform recommends that users implement two-factor authentication to access their accounts; among other measures, EA remembers that it is best to download content only from the official website.