Major vulnerability found in EA's Origin gaming client
Researchers at Check Point working with CyberInt have uncovered a chain of vulnerabilities in the Origin gaming client developed by Electronic Arts (EA). If exploited, the vulnerabilities could have led to player account takeover and identity theft.
Researchers have responsibly disclosed the vulnerabilities to EA, in accordance with coordinated vulnerability disclosure practices, to fix the vulnerabilities and roll out an update before threat actors could exploit the flaw.
"Protecting our players is our priority," says Adrian Stone, senior director, game and platform security at Electronic Arts. "As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues. Working together under the tenet of Coordinated Vulnerability Disclosure strengthens our relationships with the wider cybersecurity community and is a key part of ensuring our players stay secure."
The vulnerability took advantage of abandoned sub-domains and EA Games' use of authentication tokens in conjunction with the OAuth Single Sign-On (SSO) and TRUST mechanism built into EA Game's user login process.
"EA's Origin platform is hugely popular; and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts," says Oded Vanunu, head of products vulnerability research for Check Point. "Along with the vulnerabilities we recently found in the platforms used by Epic Games for Fortnite, this shows how susceptible online and cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of huge amounts of sensitive customer data they hold."
Users are advised to enable two-factor authentication and only use the official website when downloading or purchasing games. Parents should create awareness among their children around the threat of online fraud, that cyber criminals will do anything to gain access to personal and financial details, which may be held as part of a gamer's online account. Both Check Point and CyberInt encourage gamers to always be vigilant when receiving links sent from unknown sources.