[Update EA has since confirmed that the bug has been fixed.]
An EA spokesperson confirmed that fixes were rolled out earlier this month and that the company had not seen evidence of any unauthorised users having accessed subscriber’s data.[Original article as follows]
EA’s Origin client is probably one of the least favourite third-party launchers that PC gamers have to put up with. It’s biggest saving grace is that at least it’s not uPlay. Jokes aside, it’s not a very good client, and a recently discovered security vulnerability makes it a little worse.
The bug was discovered by a security researcher calling themselves Beard.
Hey @EAHelp @EA can we get someone to contact us at firstname.lastname@example.org? Auto-Login URL's are a very bad idea. Video below showcasing this bug, and allowing it to auto sign into an account on a browser with no cache or history of ever being to https://t.co/KvS2LlbXkv. pic.twitter.com/HGXoFUIvyI
— beard (@beardlyness) October 7, 2018
“The bug occurs when you use the EA Origin client but request to edit your account on EA.com,” he said. “The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password.”
Unfortunately, that Auto-login URL doesn’t cross-check with IP, so if anybody were to get hold of that URL, it could be used to initiate a login. That means a dodgy bit of malware, a man-in-the-middle attack or an insecure router and your EA Origin account could be comprised.
“If you’re on an unsecured network or WiFi hotspot; like at a cafe or hotel, someone can easily grab these token auto-login URLs and basically log in as the end user who requested these token links,” Beard said.
With the information – real name, the last four digits of his credit card, the last digits of his phone number, order history etc – attackers could initiate ID theft. They could also theoretically lock players out of the Origin accounts, buy games with existing card information, and then resell those accounts with the games in tow.
According to Beard, EA is now aware of the bug, and a fix is in the works.
Last Updated: November 20, 2018