Sean Kahler, a game developer and reverse engineer, managed to gain unauthorized access to over 700 million Electronic Arts (EA) user accounts, including game statistics. The whitehat helped to patch the critical flaw.
Kahler discovered a vulnerability affecting EA’s account system. First, the whitehat obtained a privileged access token within EA’s developer testing environment after finding hardcoded credentials in “a certain game's executable.”
After scanning for exposed documentation and poking around, Kahler discovered an internal service with an exposed API (application programming interface), which unraveled the ‘gold mine.’ EA’s internal APIs allowed the modification of player profiles called ‘personas.’
Kahler initially changed the EA account status to “banned,” which prevented the user from logging into games. The API also allowed the linking of a Steam account to another user’s EA account.
“I quickly realized that since this could move my own linked accounts to any EA account I wanted, wouldn't I be able to log into that linked account, thus logging into any EA account,” Kahler writes.
Similarly, by using an Xbox account and moving it to another person's EA account, the developer could log into the ‘victim’s’ game, such as Battlefield 2042, using a console. This required no verification or password.
Attackers could exploit that to steal usernames and game data and log into someone else’s accounts by moving their Xbox persona to the victim's accounts. The exposed API allowed changing usernames, banning accounts, preventing players from accessing the games, or bypassing bans without user interaction.
Kahler responsibly disclosed vulnerabilities to EA on June 16th, 2024, and, according to the blog post, EA confirmed the flaw and assigned critical severity. Five patches followed between July 7th and October 8th.
“Given the severity, it’s a bit strange how long it took EA to get fixes out. Their original estimation was that it wouldn't be done until the end of the year despite this being a simple case of exposed documentation and a single insecure endpoint. I understand it's more complicated than that internally, but a quick patch to fix the crux of the problem would've been prudent,” the researcher said.
Kahler also noted that EA hasn’t yet started a bug bounty program and has no real incentives to report vulnerabilities.
Cybernews has reached out to EA and will include its response.
Your email address will not be published. Required fields are markedmarked