EA’s Origin software was found to have a bug that could allow malicious users to gain access to user account data.
The bug was found by a person named “beard” on Twitter, who’s a security researcher. Beard confirmed in an interview with ZDNet that they originally found this bug on October 1st. Apparently, when users try to edit their account details on EA.com using the Origin client, it’ll automatically generat3e an auto-login URL which has the users’ username and password in the URL. This is a practice that should obviously be avoided and isn’t exclusive to Origin. Many older sites and software use still use this method of authentication.
Usually, IP addresses or cookies are stored during the authentication, so no one can access the account other than the user. But in this exploit, the auto-login URL doesn’t use either of these processes, so the URL would work no matter who’s logging into the account. This could be an issue for users who access their account via WiFi that’s unsecured such as those in stores, malls, cafes, and anywhere else.
They can also be collected by bots without notice. This means anyone with the URL on any device could log in to the exploited user’s Origin account. Beard shows off a demo of the bug in action and says that attackers can access user info like real names, credit card last 4 digits, phone number digits, and more:
Hey @EAHelp @EA can we get someone to contact us at eabugbounty@protonmail.com? Auto-Login URL's are a very bad idea. Video below showcasing this bug, and allowing it to auto sign into an account on a browser with no cache or history of ever being to https://t.co/KvS2LlbXkv. pic.twitter.com/HGXoFUIvyI
— beard (@beardlyness) October 7, 2018
The article states that EA already knew about this bug earlier this month and worked on a fix, which was rolled out this month. They also report that no user data has been accessed through this bug. Regardless, be wary about sharing your information and always safeguard your data. Never give out more than you have to.