Earlier this month, EA rolled out an update to Origin to fix a security glitch that allowed third parties to track and collect users’ personal information through the settings panel via the EA Origin auto-login URL.
The glitch allowed third-parties to access users’ account data when they logged into the Origin client and tried to edit their account information on EA.com.
A security researcher known in the online world as just Beard, discovered the bug on October 1.
When a user uses this method to access and edit an account “the EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password”, Beard told ZDNet in a interview last week.
Auto-login URLs are commonly used in desktop and web-based applications. But most of the time, auto-login URLs are linked to users’ IP addresses or cookies previously registered which control whether a user can access an account or not.
But Origin’s auto-login URL worked even if the attacker was using a different IP address or browser.
“If you’re on an unsecured network or WiFi hotspot; like at a cafe or hotel, someone can easily grab these token auto-login URLs and basically log in as the end user who requested these token links,” Beard explained in the interview.
What’s worse is that these auto-login URLs could also be collected by IoT malware/botnets designed to infect routers, thus allowing attackers to automate the process of mass-harvesting user account data.
Beard explained an attacker could use the auto-login URL to gain user information such as the player’s real name, phone number, email, and other sensitive account information.
Also, if attackers managed to guess the security question of an account, they could gain complete control of the account, and then use the payment information stored in the account to purchase games and other items.
An EA spokesperson confirmed that a fix was applied at the beginning of November. They also said they had not found any evidence of unauthorized use or access to users’ private data.