From CNET: EA had to step up its game after researchers found an EA Origin vulnerability that could have exposed millions of people to account takeovers. The flaw exposed more than 300 million players on popular online games such as Battlefield, Madden NFL, NBA Live and FIFA, according to security researchers from Check Point and CyberIn.
"EA's Origin platform is hugely popular, and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts," Oded Vanunu, head of products vulnerability research for Check Point, said in a statement Wednesday.
The security flaw would have allowed hackers to hijack people's accounts without stealing their login or passwords. That's because it would steal a Single Sign-On authorization token instead, which could give complete control for hackers. Access tokens are an authentication method similar to passwords, as codes generated by services to keep you logged in.
They're harder to steal than passwords but still possible, as a similar vulnerability with Fortnite and Facebook demonstrated. As people become more aware of entering their passwords on suspicious websites, hackers have turned to stealing access tokens instead, which can be done in the background without any user participation.
The security researchers were able to take control of an EA subdomain, under the URL "eaplayinvite.ea.com," which was an inactive domain hosted on Microsoft's Azure cloud service. CyberInt and Check Point's researchers successfully requested to take over the inactive domain from Microsoft Azure and turned the page into a phishing trap.
View: Article @ Source Site
