Home Gaming There’s a bug in EA’s Origin client that could allow unauthorised access

There’s a bug in EA’s Origin client that could allow unauthorised access

2 min read
9

Origin

[Update EA has since confirmed that the bug has been fixed.]

An EA spokesperson confirmed that fixes were rolled out earlier this month and that the company had not seen evidence of any unauthorised users having accessed subscriber’s data.

[Original article as follows]

EA’s Origin client is probably one of the least favourite third-party launchers that PC gamers have to put up with. It’s biggest saving grace is that at least it’s not uPlay. Jokes aside, it’s not a very good client, and a recently discovered security vulnerability makes it a little worse.

The bug was discovered by a security researcher calling themselves Beard.

Speaking to ZDNet, he clarified how the bug works.

“The bug occurs when you use the EA Origin client but request to edit your account on EA.com,” he said. “The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password.”

Unfortunately, that Auto-login URL doesn’t cross-check with IP, so if anybody were to get hold of that URL, it could be used to initiate a login. That means a dodgy bit of malware, a man-in-the-middle attack or an insecure router and your EA Origin account could be comprised.

“If you’re on an unsecured network or WiFi hotspot; like at a cafe or hotel, someone can easily grab these token auto-login URLs and basically log in as the end user who requested these token links,” Beard said.

With the information – real name, the last four digits of his credit card, the last digits of his phone number, order history etc – attackers could initiate ID theft. They could also theoretically lock players out of the Origin accounts, buy games with existing card information, and then resell those accounts with the games in tow.

According to Beard, EA is now aware of the bug, and a fix is in the works.

Last Updated: November 20, 2018

9 Comments

  1. Dutch Matrix

    November 20, 2018 at 15:48

    Oh dEAr…

    Reply

  2. Magius

    November 20, 2018 at 15:57

    Does this bypass 2-factor authentication?

    Reply

  3. For the Emperor!

    November 20, 2018 at 16:09

    Hahahahahahaaaa

    Reply

  4. Original Heretic

    November 20, 2018 at 16:19

    EA is no aware or are they NOW aware?

    I love typos. In other people’s work. In mine, they must fuck off and die.

    Reply

    • Pariah

      November 20, 2018 at 17:07

      *die

      Reply

      • Original Heretic

        November 20, 2018 at 18:08

        And I said…?

        Reply

        • Pariah

          November 20, 2018 at 19:22

          die. You forgot the asterisk…

          Reply

          • Original Heretic

            November 20, 2018 at 19:23

            But I actually want my typos to die. Not asterisk die.

  5. Captain JJ

    November 21, 2018 at 08:52

    This would only be a problem if you actually use Origin. – which is really your own fault for supporting EA 😛

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Birds of Prey 101: How Harley Quinn became DC’s favourite maiden of mischief

The cupid of crime. Daddy’s little monster. The maid of mischief. Ever since her debut, Ha…