Electronic Arts appears to have dodged a cybersecurity bullet that could have resulted in the takeover of millions of players of accounts for its Origin online gaming service.
Check Point Research and CyberInt investigated a chain of vulnerabilities that, once exploited, could have exposed the user accounts. They informed EA of the problem, and the big game company has patched its network. The report is on this link.
The potential damage could have involved an attacker gaining access to a user’s credit card information and the ability to fraudulently purchase in-game currency on behalf of the user.
CyberInt and Check Point immediately notified EA of these security gaps and together leveraged their expertise to support EA in fixing them to protect their gaming customers.
In a statement, EA said, “This was reported to EA privately by CyberInt through our Coordinated Vulnerability Disclosure program. As soon as the issue was raised, EA engaged with CyberInt to resolve the vulnerability reported. We also closely monitored the situation and were able to verify that the vulnerability was not exploited and no player information was exposed.”
To further clarify, the reported vulnerabilities were resolved in the back-end architecture of some authentication protocols and not related to Origin.
Origin: The EA platform
Above: EA Origin
Image Credit: EA
With over 90 million users and revenues of around $5 billion, EA has the world’s second largest gaming company market capitalization and boasts household gaming titles such as FIFA, Maden NFL, NBA Live, UFC, The Sims, Battlefield, Command and Conquer, and Medal of Honor in its portfolio.
All these games and more rest on its self-developed Origin gaming platform that allows users to purchase and play EA’s games across PC and mobile.
Origin also contains social features such as profile management, networking with friends with chat and direct game joining along with community integration with networking sites such as Facebook, Xbox Live, PlayStation Network, and Nintendo Network.
The vulnerabilities found
Above: Apex Legends is a free-to-play battle royale game from Respawn and Electronic Arts.
Image Credit: EA
In a similar manner to Check Point Research’s previous discoveries into another hugely popular online game, Fortnite, the vulnerabilities found in EA’s platform similarly did not require the user to hand over any login details whatsoever.
Instead, it took advantage of EA Games’ use of authentication tokens in conjunction with the oAuth Single Sign-On (SSO) and TRUST mechanism that is built into EA’s user login process.
In this case, EA is a cloud-based company that uses Microsoft Azure to host several domain names such as ea.com and origin.com in order to provide global access to various services for their players, including creating new game accounts, connecting to the Origin social network and purchasing more games in EA’s online store.
Technical details
Above: Electronic Arts
Image Credit: Electronic Arts
EA operates several domain names such as ea.com and origin.com in order to provide global access to various services for their players, including creating new Apex Legends accounts, connecting to the Origin social network, as well as purchasing new EA games in the company’s online store.
Generally, each service offered by a cloud-based company such as EA is registered on a unique subdomain address, for example, eaplayinvite.ea.com, and has a DNS pointer (A or CNAME record) to a specific cloud supplier host, ea-invite-reg.azurewebsites.net, which runs the desired service in the background, in this case, a web application server.
Microsoft’s Azure cloud service allows for a company to register new services (e.g. web applications, REST APIs, Virtual Machines, databases, and more) in order to provide them to online customers around the world.
Each Azure user account can request to register a specific service name (Service-Name.azurewebsites.net) which will be connected to a specific domain or subdomain of the organization after successfully validating it’s CNAME records during Azure subdomain validation process.
During CyberInt’s research, though, they found that the ea-invite-reg.azurewebsites.net service was not in-use anymore within Azure cloud services. But the unique subdomain eaplayinvite.ea.com still redirects to it using the CNAME configuration.
The CNAME redirection of eaplayinvite.ea.com allows security researchers to create a new successful registration request at their own Azure account and register ea-invite-reg.azurewebsites.net as their new web application service.
This allowed Check Point and CyberInt to essentially hijack the subdomain of eaplayinvite.ea.com and monitor the requests made by EA valid users.
As seen from the below, the DNS Record status after the hijacking process showed that the eaplayinvite.ea.com redirects to Check Point’s new Azure cloud web service.
oAuth Invalid Redirection to Account Take-Over
Above: The Electronic Arts offices.
Image Credit: EA
Having control over the eaplayinvite.ea.com subdomain led Check Point’s research team to a new goal of figuring out how to abuse the TRUST mechanism. The TRUST mechanism exists between ea.com and origin.com domains and their subdomains. Successfully abusing the mechanism enabled the research team to manipulate the oAuth protocol implementation for full account take-over exploitation.
The researchers began by identifying how EA games had configured the oAuth protocol and provides its users a Single Sign-on (SSO) mechanism. The SSO mechanism exchanges the user credentials (username and password) by unique SSO Token and then uses the token to authenticate with any platform (for ex. accounts.origin.com) of EA networks without having to enter their credentials again.
Analyzing the EA games oAuth SSO implementation within several EA services such as answers.ea.com, help.ea.com and accounts.ea.com helped the researchers review the EA authentication process and learn more about the TRUST mechanism that had been implemented.
As part of a successful authentication process with EA global services via answers.ea.com, an oAauth HTTP request is sent to accounts.ea.com in order to get a new user SSO token, then the application should redirect it through signin.ea.com to the final EA service called answers.ea.com to identify the user.
Check Point, however, that it was actually possible to determine the EA service address which the oAuth token is generated for by modifying the returnURI parameter within the HTTP request to our hijacked subdomain of EA, eaplayinvite.ea.com.
However, generating the above-mentioned request to redirect the generated SSO token into researchers’ hands was not sufficient since several limitations took place on EA’s side.
The researchers also described the limitations introduced by EA and how the researchers successfully bypassed them in order to weaponize their attack. You can read the rest of the info on the link.
