Researchers from Check Point and CyberInt informed EA that if the vulnerability isn’t patched, it would enable hackers to “hijack and exploit” the accounts of million. Allowing them to steal the client’s Single Sign-On authorisation token, thus bypassing the traditional act of stealing login or password details. Both Check Point and CyberInt found the flaw when they managed to take control of an EA subdomain via the URL “eaplayinvite.ea.com”. According them, the domain was inactive, as was hosted on Microsoft’s Azure cloud service. After taking over the page, the companies said they turned it into a phishing trap.
From that point onward, the researchers could send links from the domain to victims of their choice, and they were more likely to click on them, especially since it was being sent from an “affiliated” link. Of course, Check Point and CyberInt didn’t do that, and instead informed EA about the flaw back in February. EA has since patched up the flaw, stating that players safety is its priority. (Source: CNET)