EA ignored domain vulnerabilities for months despite warnings and breaches

Information security experts provided the company with a PoC exploit for the attack, Electronic Arts confirmed its receipt but did not fix the vulnerability.

The data leak revealed by the American video game publisher Electronic Arts this month could be much more serious than previously thought. This is not about the scale of the incident, but about the fact that a company can easily ignore the security threats that it knows about and not prevent cyberattacks.

A few weeks ago on hacker forums began to appear messages about the theft from Electronic Arts of about 780 GB of source code, proprietary frameworks, development tools (SDK) and engines. All stolen data, including access to FIFA 21 servers, FIFA 22 API keys and some SDKs for Microsoft Xbox and Sony, have been put up for sale.

According to the company, it began its investigation of the incident, and the leak itself was limited to only a small amount of source code and related tools. The data of the players were not affected, and “there is no reason to think that the privacy of the players is in any way threatened,” Electronic Arts assured. Nevertheless, according to information security experts, the incident could and should have been prevented.

Ori Engelberg, the co-founder of the Israeli information security company Cyberpion, told ZDNet that he, along with his colleagues, warned the video game manufacturer about a number of security problems (in particular, incorrect DNS settings that allowed attackers to gain control over domains) last year. … In December 2020, Cyberpion provided Electronic Arts with a PoC exploit for the attack, the video game manufacturer confirmed its receipt and promised to contact information security companies in case of any questions, but did not do so. The vulnerabilities were also left unpatched.

Eneglberg said that by using the stolen domains, attackers can send users emails on behalf of Electronic Arts and ask them for account information or other sensitive data. The company already faced backlash last week after it emerged that a chain of vulnerabilities could have allowed attackers to gain access to personal information and take control of player accounts.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts