EA had to step up its game after researchers found an EA Origin vulnerability that could have exposed millions of people to account takeovers. The flaw exposed more than 300 million players on popular online games such as Battlefield, Madden NFL, NBA Live and FIFA, according to security researchers from Check Point and CyberInt.
"EA's Origin platform is hugely popular, and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts," Oded Vanunu, head of products vulnerability research for Check Point, said in a statement Wednesday.
The security flaw would have allowed hackers to hijack people's accounts without stealing their login or passwords. That's because it would steal a Single Sign-On authorization token instead, which could give complete control for hackers. Access tokens are an authentication method similar to passwords, as codes generated by services to keep you logged in.
They're harder to steal than passwords but still possible, as a similar vulnerability with Fortnite and Facebook demonstrated. As people become more aware of entering their passwords on suspicious websites, hackers have turned to stealing access tokens instead, which can be done in the background without any user participation.
The security researchers were able to take control of an EA subdomain, under the URL "eaplayinvite.ea.com," which was an inactive domain hosted on Microsoft's Azure cloud service. CyberInt and Check Point's researchers successfully requested to take over the inactive domain from Microsoft Azure and turned the page into a phishing trap.
They could send the malicious page to players, and since it was an EA domain, victims would be more likely to trust the link, researchers said. The hijacked page had code embedded that would take access tokens intended for EA and direct it toward the researchers instead.
"We had the vulnerabilities under control so no other party could have exploited them during the period it took EA to fix," Alexander Peleg, CyberInt's head of cyber operations, said in an email.
The researchers could then use that to log into the victims' accounts. CyberInt and Check Point said they reached out to EA to fix the flaw on Feb. 19, and the company said it fixed the issue within three weeks.
"Protecting our players is our priority," Adrian Stone, EA's director of game and platform security, said in a statement provided by the security researchers. "As a result of the report from CyberInt and Check Point, we engaged our product security response process to remediate the reported issues."
EA didn't respond to a request for additional comment.