Security firm Check Point Research has issued a warning about a 'chain of vulnerabilities' in Electronic Arts' Origin software distribution platform which left it open to account takeover and identity theft attacks.
One of a number of publisher-specific game distribution platform clients, often used to cut third-party services like Steam out of ongoing revenue or used on top of third-party services for in-app purchasing or anti-piracy functionality, EA's Origin jumped in popularity when the company announced the Origin Access subscription service and later Origin Access Premier offering.
Unfortunately for its users, Origin appears to have had some serious security shortcomings spotted by security specialist Check Point Research. 'EA's Origin platform is hugely popular, and if left unpatched these flaws would have enabled hackers to hijack and exploit millions of users’ accounts,' explains Oded Vanunu, head of products vulnerability research at Check Point, of the company's findings. 'Along with the vulnerabilities we recently found in the platforms used by Epic Games for Fortnite, this shows how susceptible online and cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of huge amounts of sensitive customer data they hold.'
The vulnerabilities themselves were surprisingly basic: Check Point was able to use EA's own authentication token system in conjunction with subdomains the company has long-abandoned to subvert the service's sign-on system - meaning that accounts could be taken over, providing full access to the account itself and all personally identifiable information (PII) stored therein.
'Protecting our players is our priority, claims Adrian Stone, senior director for game and platform security at Electronic Arts, of the vulnerability report. 'As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues. Working together under the tenet of Coordinated Vulnerability Disclosure strengthens our relationships with the wider cybersecurity community and is a key part of ensuring our players stay secure.'
Thankfully, Check Point's researchers practice responsible disclosure: The flaw was reported to EA privately, and the public announcement this week comes after it has been fixed. More information is available on the Check Point Research blog, or in the above video.
October 15 2020 | 14:00