Israeli security firms Check Point and CyberInt have partnered this week to find, use, and demonstrate a bad security clearance that allows attackers to steal players' accounts into EA / Origin online games. Several classic attacks – phishing, site hijacking, and scripting between sites – are included in the exploitation, but the main disadvantage that does all the attack work is poorly maintained DNS.
If you have a good eye for infosec, most videos speak for themselves. The attacker launches a victim of WhatsApp in a click on a biased relationship, the victim clicks on the shiny and gets the property, and the stolen credentials are used to devastate the victim's account.
What makes this attack different – and significantly more dangerous – is the attacker's possession of a site hosted on a valid, working subdomain on ea.com. Without the real subdomain owned by them, the attack would require the victim to enter a fake EA portal and collect a password. This would significantly increase the likelihood of the victim being warned of fraud. With the work subdomain, the attacker has managed to collect the token for authentication from the existing, active EA session before using it directly and in real time.
When I talked to Alex Pelegg and Provid Point Oedad Vannu in a conference call today, it really was all I wanted to know – how did you get the EA subdomain in the first place? According to the two researchers, this is a fairly common refraction. A major company launches a new marketing campaign, creates a team that does the necessary coding work, and gives the team a new subdomain – like eaplayinvite.ea.com – to launch the campaign. The devops team rotates new specimens in AWS, Google Cloud, or a similar provider, then uses a CNAME record to associate a company's subdomain with an internal provider record on the host. When the marketing campaign is over, the AWS or other cloud is excluded … but nobody tells the team that runs the company's primary domain to get rid of the CNAME record.
Hacker interested in the company can see that he has released a new subdomain and then uses the dig tool to see how he is hosted. If the attacker sees that the company used a CNAME record to redirect to a cloud provider's internal DNS, the next step is to wait for the marketing campaign to end and the URLs included in the campaign to stop working. Now dig the name of the subdomain again – if the original CNAME is intact, we are in business. The attacker then uses his own account with the same cloud provider and requires the same DNS name of the home provider originally used by the campaign.
At this point, the original CNAME is now pointing to the attacker's website rather than to the company's control. Armed with a working domain subdomain of the company's real domain, the cookies belonging to the company's users can be captured (and embedded!). This makes possible immediate attacks on victims.
In this case, Alex and Eden opened a phishing attack on WhatsApp, but the more enterprising striker might have started with a watering attack. Imagine that a serious striker has bought banner banner HTML ads specifically targeted at EA gamers – their ad can open an invisible iframe to their abducted subdomain. Such a built-in framework can automatically collect all the authenticators of the in-game gamers without the need for user interaction.
Outrageous opportunities are overwhelming.
According to Alex and Oded, the type of observation made here by EA / Origin is depressively common in large companies. Devops teams do not talk to infosec teams, nor talk to more traditional management teams that run basic services like DNS across the company, and mistakes are made. Researchers – and their companies – hope that public demonstrations like this will awaken big companies, destroy the silos, and ultimately reduce the vulnerability of end users to hacking.