Hacker explains how he discovered a vulnerability that could allow him to steal, ban, and do whatever he wants with EA's 700 million accounts

Game developer and reverse engineer Sean Kahler has reported that he has discovered a vulnerability that could allow him to take over all of Electronic Arts (EA)'s accounts.

Hacking 700 Million Electronic Arts Accounts | Sean Kahler

https://battleda.sh/blog/ea-account-takeover

Because EA develops games for many different platforms, we use a system called 'personas' to link accounts across platforms. When you link a new platform account to your EA account, we create a persona for that platform and store your player name and other data for that platform.

While investigating EA's authentication system API, Mr. Kohler discovered that there was an error in the permission settings for update requests to the API endpoint '/identity/pids/{pidId}/personas/{personaId}' that manages persona data, which allowed all players' personas to be rewritten. When Mr. Kohler immediately sent a request to change the player name of his own account, he was able to change the player name without the usual username change cooldown and email confirmation.

In addition, the user was also able to freely change the status of the account, such as 'BANNED.' When Koehler tried to set his own account to 'BANNED,' the following message appeared, preventing him from accessing the game.

As Koehler continued his investigation, he discovered that the link information between personas and EA accounts could also be freely changed. When Koehler linked his own Steam account to his friend's EA account and tried to log in to his friend's account via Steam, he was asked to authenticate via email as a 'login from a new location.'

Mr. Koehler remembered that he had never been asked to verify his email address when playing games on Xbox, so he linked his Xbox persona to an EA account he had created for testing and tried logging in on Xbox, successfully bypassing the email verification and logging in. In the image below, you can see that the name of the test account, 'TestVictim,' is displayed.

Once you log in from your Xbox, EA will recognize that location as a trusted one, and you will no longer be asked to verify your email address when logging in on the web.

Koehler said that the vulnerability could be exploited to do the following:

- Stealing usernames and game data by linking someone else's persona to another account.
- The attacker can log into any account via his or her Xbox persona.
- Banning other people's personas, making them unable to play the game.
・Change someone else's username.
- Move a banned persona to another account to avoid being banned.

In addition, Mr. Kohler reported the vulnerability to EA on June 16, 2024, and EA fixed the issue on October 8, 2024 after five patches.