Sean Kahler, a Whitehat researcher, identified a critical vulnerability in the EA’s account system and gained access to over 700 million Electronic Arts(EA) accounts. The issue was reported to the organization along with the details, and EA has now patched the vulnerability.
Kahler got his hands on the privileged access token while conducting the scan in a test environment after discovering hard-coded credentials in one of the target executables. Further reconnaissance revealed an internal service with an exposed API (Application Programable interface) which held the user profiles known as “personas” and allowed them to be modified. Mr. Kohler discovered that there was an error in the permission settings for update requests to the API endpoint ‘/identity/pids/{pidId}/personas/{personaId}’ that manages persona data, which allowed all players’ personas to be rewritten. The researcher immediately sent a request to change the player name of his own account and was able tochange the player name without the usual username change cooldown and email confirmation.
The researcher also discovered that he could move his own EA account to another user’s EA account. Kahler was able tolog into any user’s account using the console and enter his game, e.g., Battlefield 2042, without the need to provide any credentials and hence could totally bypass any authentication requirements.
If the flaw had been identified by any malicious actor, they could have even banned the entry of users into their game profiles, as the exposed API allowed for banning accounts, changing usernames, bypassing bans, etc. Kahler fulfilled his responsibility by disclosing the vulnerability to EA on 16th June 2024. EA acted on the issue and released five patches between 7th July and 8th October 2024 to address the issue. However, as per the researcher, these vulnerabilities could have been addressed in a shorter timeframe as it was a case of exposed documentation and a vulnerable endpoint.
