An EA spokesperson confirmed that fixes were rolled out earlier this month and that the company had not seen evidence of any unauthorised users having accessed subscriber’s data.
[Original article as follows]EA’s Origin client is probably one of the least favourite third-party launchers that PC gamers have to put up with. It’s biggest saving grace is that at least it’s not uPlay. Jokes aside, it’s not a very good client, and a recently discovered security vulnerability makes it a little worse.
The bug was discovered by a security researcher calling themselves Beard.
Hey @EAHelp @EA can we get someone to contact us at eabugbounty@protonmail.com? Auto-Login URL's are a very bad idea. Video below showcasing this bug, and allowing it to auto sign into an account on a browser with no cache or history of ever being to https://t.co/KvS2LlbXkv. pic.twitter.com/HGXoFUIvyI
— beard (@beardlyness) October 7, 2018
Speaking to ZDNet, he clarified how the bug works.
“The bug occurs when you use the EA Origin client but request to edit your account on EA.com,” he said. “The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password.”
Unfortunately, that Auto-login URL doesn’t cross-check with IP, so if anybody were to get hold of that URL, it could be used to initiate a login. That means a dodgy bit of malware, a man-in-the-middle attack or an insecure router and your EA Origin account could be comprised.
“If you’re on an unsecured network or WiFi hotspot; like at a cafe or hotel, someone can easily grab these token auto-login URLs and basically log in as the end user who requested these token links,” Beard said.
With the information – real name, the last four digits of his credit card, the last digits of his phone number, order history etc – attackers could initiate ID theft. They could also theoretically lock players out of the Origin accounts, buy games with existing card information, and then resell those accounts with the games in tow.
According to Beard, EA is now aware of the bug, and a fix is in the works.
Last Updated: November 20, 2018
Dutch Matrix
November 20, 2018 at 15:48
Oh dEAr…
Magius
November 20, 2018 at 15:57
Does this bypass 2-factor authentication?
For the Emperor!
November 20, 2018 at 16:09
Hahahahahahaaaa
Original Heretic
November 20, 2018 at 16:19
EA is no aware or are they NOW aware?
I love typos. In other people’s work. In mine, they must fuck off and die.
Pariah
November 20, 2018 at 17:07
*die
Original Heretic
November 20, 2018 at 18:08
And I said…?
Pariah
November 20, 2018 at 19:22
die. You forgot the asterisk…
Original Heretic
November 20, 2018 at 19:23
But I actually want my typos to die. Not asterisk die.
Captain JJ
November 21, 2018 at 08:52
This would only be a problem if you actually use Origin. – which is really your own fault for supporting EA 😛