Electronic Arts recently fixed a bug in their online gaming platform, Origin. The Origin app is EA’s answer to game services like Steam and Epic storefronts. Origin boasts a massive archive of games including some major titles like Apex Legends, Anthem, Battlefield V, Assassin’s Creed Odyssey and many more.
A recently discovered security vulnerability in EA’s popular gaming app has exposed tens of millions of Windows users to cyber-attacks. The flaw in the Origin app allows hackers to trick users into opening and running malicious software on their systems.
The Origin desktop client’s URL scheme allows users to open the app and load a game from a web page by clicking a link with “origin://” in the address. However, two security researchers discovered that the app could be duped into running any app on an unsuspecting victim’s PC.
According to the security researchers, the bug occurred when players used EA Origin client but requested to edit their account on EA.com. A statement Beard made to Zdnet read, “The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password."
Now, while such auto-login URLs are commonplace in many web-based and desktop apps, the URLs can only be accessed by the user. However, this wasn’t the case, according to Beard, anyone could easily access these token auto-login URLs if the account were being used on an unsecured network or WiFi hotspot.
Hey @EAHelp@EA can we get someone to contact us at eabugbounty@protonmail.com? Auto-Login URL's are a very bad idea. Video below showcasing this bug, and allowing it to auto sign into an account on a browser with no cache or history of ever being to https://t.co/KvS2LlbXkv. pic.twitter.com/HGXoFUIvyI— beard (@beardlyness) 7 October 2018
Additionally, IoT malware/botnets that have infected home routers will allow criminals to automate the mass collection of EA account data by using these auto-login URLs. Hackers can also use these URLs to collect information such as last digits of a user’s phone number, order history, last four digits of a saved credit card, a user’s real name and more.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
