By 
Security researchers exposed susceptibilities in the Origin gaming platform from Electronic Arts (EA) that could have let an attacker capture the accounts of a staggering 300 million users.
To make this attack a success, attackers would only have required victims to click on a genuine referral link to EA’s Origin game distribution platform.
Researchers have discovered what seems to be an omission from the gaming company, where one of their subdomains readdressed to an unrestrained host on Microsoft’s Azure cloud computing service that anyone could register for free.
“Generally, each service offered by a cloud-based company such as EA Games is registered on a unique subdomain address, for example, eaplayinvite.ea.com, and has a DNS pointer (A or CNAME record) to a specific cloud supplier host, ea-invite-reg.azurewebsites.net, which runs the desired service in the background, in this case a web application server.”
Since it was no longer in use, the researchers were able to register “ea-invite-reg.azurewebsites.net” as the name of their own web application service on Azure. Since the CNAME record was still active, the researchers received all requests made by EA users through “eaplayinvite.ea.com.”
Bypassing restrictions
Although hijacking the subdomain was insufficient to pull off the account takeover attack, it helped the researchers look for a way to influence this kind of access in a way that would help a hacker.
“As part of a successful authentication process with EA global services via answers.ea.com, an OAuth HTTP request is sent to accounts.ea.com in order to get a new user SSO token, then the application should redirect it through signin.ea.com to the final EA service called answers.ea.com to identify the user,” Check Point explains in a technical analysis of the attack.
By adapting the “returnURI” constraint in the HTTP request to the hijacked subdomain, it was likely to learn the EA service address the SSO token was generated for.
Manipulating the requests to get the token sent to the hijacked domain did not work, though, due to some security applications on EA’s part.
The researchers discovered that a request to signin.ea.com that contained the “redirectback” parameter. The result was a rerouting of genuine EA players to the researchers’ server without the victim’s SSO token; but this allowed logging incoming requests, which included the access token in the HTTP referer value.
Equipped with the verification value, an attacker could access EA user accounts as if they were the owners. This also lets stealing the victim’s session ID and using it with the hacker’s identifications sidestep authentication and buy simulated goods with the victim’s payment card.
