Security firms demonstrate subdomain hijack exploit vs. EA/Origin


Israeli security firms Check Point and CyberInt partnered up this week to find, exploit, and demonstrate a nasty security flaw that allows attackers to hijack player accounts in EA/Origin's online games. The exploit chains together several classic types of attack—phishing, session hijacking, and cross-site scripting—but the key flaw that makes the entire attack work is poorly maintained DNS.

This short video clip walks you through the entire process: phish a victim, steal their account token, access their account, and even buy in-game stuff with their saved credit card. (You might want to mute before you press play—the background music is loud and obnoxious.)

If you have a reasonably good eye for infosec, most of the video speaks for itself. The attacker phishes a victim over WhatsApp into clicking a dodgy link, the victim clicks the shiny and gets owned, and the stolen credentials are used to wreak havoc on the victim's account.

What makes this attack different—and considerably more dangerous—is the attacker's possession of a site hosted at a valid, working subdomain of ea.com. Without a real subdomain in their possession, the attack would have required the victim to log into a fake EA portal and harvested a password. This would have immensely increased the likelihood of the victim becoming alert to a scam. With the working subdomain, the attacker was able to harvest the authentication token from an existing, active EA session before exploiting it directly and in real time.

Read 6 remaining paragraphs | Comments

via Biz & IT – Ars Technica https://ift.tt/2Ygc430

Comments