This could have been exploited to just unban every account that has ever been banned. This guy would have made a fortune selling just that exploit to cheaters.
Pretty sure "price restructuring" (price increases) will be paid by most users (cost sunk fallacy).
Mafia style. The second part is called "pizzo".
Think about being able to empower a kid to ban anyone they want.
It would turn into chaos but I do not think such a service would be long lived as it would generate so many support tickets and issues that EA would start looking into how it was happening.
There's lots of fun ideas you can go for here, but just as one, suppose I spend a month banning accounts that haven't played much, but more than zero. Then go quiet for a couple of weeks. EA frontline support notices but if you play your cards right they don't put the pieces together and nobody is quite roused to investigate. Then you start up again, somewhat faster, spend a couple of days banning a good chunk of medium sized accounts. Then maybe at the end you ban the biggest accounts as quickly as you can.
Now the bannings are news. EA's PR is probably completely blown out by the crisis and starts saying contradictory things. (My guess is that initially they end up backing their right to ban people and releasing statements to the effect of how right they probably are; this is, in the end, a huge mistake on their part.) Gamers can be reliably expected to start a ton of rumors, take them in the worst way possible, and antagonize EA, and EA is pretty likely to make at least one class-A error in being antagonistic back. (The hackers could even supply some of the rumors and some bots to get them going, though I doubt it'll be necessary. The gamer community is pretty well primed to turn on EA.) A ton of people who are curious but figure this can't be affecting them because they hardly use the service log in and discover they've been banned despite not having done anything on EA in six months. The fire rises as they post to reddit and hundreds of people chime in with "WTF, me too!", even if it's only a small percentage of the total people who check.
Several days later, EA puts all the pieces together confidently enough to be sure that they can announce it's a hack. They're right. Nobody cares. Half of the gamer community doesn't even believe their defense.
It's hard to guess what the upper bound of damage is on this scenario.
I think the real quiet $ maker would be stealing usernames instead.
Like if you wanted the EA gametag of jerf but someone else had it, you could steal it using OPs method if it was still unpatched. A pay service for this would be viable in low volume and on the EA side it would just look like the user did it.
The seller of service would have to implement some kind of checks to make sure for example they weren't stealing the username of a top streamer or etc which would bring heat.
Not that I'd advise either course of action for the players' sake
It's not clear to me what was exploitable when.
It would be interesting to see what I imagine to be the reams of notes from one of these to show how much time and effort it takes to perform this kind of attack.
Does that mean the author got nothing for reporting this?
Correct.
https://pentester.land/writeups/
It gets updated every few weeks/months.
I wouldn't mess around with this stuff myself.
The VPN provider will share information if an active investigation is underway.
You can pay for a VPN using monero or cash and then connect to the VPN from TOR - VPN provider doesn’t need to know anything
If I were to mess around with stuff, and im not. The only way I'm doing that is with a used laptop of Craigslist or whatever and cafe with no cameras, even then idk.
Done.
Deploy image containing Tor router and hidden service onion config.
Do above as many times as one needs to feel comfortable.
Use VPSes as proxies intermixed with VPN and Tor legs.
What's lil officer Timmy at CISA gon' do? Netflow you? LOL!
Re-use a username, accidentally log in to something as yourself, forget to turn on the VPN, etc.
Just for some lolz which could result in prison time.
As a paying customer, I expect better from these companies and personally wouldn't blame the hackers for exploiting their findings if no program exists.
[1] https://worldpopulationreview.com/country-rankings/countries...
They definately do have backups, no-one is storing 400mm records on a single machine and ultimately you'd just take them offline for an afternoon and then spend 15 years in a federal prison
Because the first thought (at least, the highest rated post right now) it that it would have been "fun" to hurt millions of people to teach the company they were doing business with a lesson.
EA - "So here's $0."
If anyone is at EA, this man just saved the integrity of your entire empire, you might want to give him at least a token amount.
I reached out to employees via unofficial channels. I'm sure if I had spoken to some exec I'd be in jail right now.
The company is liable for $10 per hacked user minus 100X the bounty spend for that year.
Though it's likely in a case like this, no single person was responsible for the vulnerability. Probably 5 or 6 different teams owned different parts of what he exploited (which is probably why the exploit existed in the first place - big complex system where everyone only understands their tiny piece of it).
- someone else proxied your API to the public
- someone else leaked credentials you assigned them in the public code of a game
As someone working on a team that publishes APIs to the greater large organization, you can't trust other people. People be doing wild things.
At a company the size of EA almost certainly this will be used to play politics and even if it hurts the company as a whole people will use it to have larger control over the now smaller company.
The company I work for now likely has weaker security simply from having glued various acquisitions in. We have API endpoints specific to some of them.
Systems are complicated and hard to keep in your head. Knowledge doesn't always transfer to other teams. Especially over 15 years. Sometimes you don't realize you've made an error.
Most people are emotionally invested because they spent time and energy to build something and don't want it to be for nothing. Most people like to try to do the right thing.
Back then the team was called Nucleus (hence in one of the responses in the article, the refType was NUCLEUS) who built and managed the backend api for Entitlements, Accounts, and Payments. It was a summer internship, so a year later when they offered me a position on the team, I stareted work there. By then the team was renamed EADP as it was slowly being merged with Origin (i forget what the DP meant, Data Platform?) hence one of the endpoints starts with `dp.`
Though, we did not have a GraphQL db back then, it was all Enterprise Java (OCI, Spring, Hibernate, etc) and some newer Groovy/SpringBoot stuff before I left. Running on datacenter servers (no cloud). But I worked on some fun things. I moved on from there after 2-3 years after some shit hit the fan, but I learned a lot of good backend dev back then from good engineers.
No clue what the team is like today, who the engineers are, or what is going on, but it is a shame to see something like this. We were very security conscious back then, and I even worked on a Bruteforce system to detect and handle bruteforce attempts on our login page. No clue if it is still active or running, but Security checks/reviews were part of our sprint task to reduce the chances and surface area of compromises.
I agree that this looks like an accidental proxy of the API. Everything was so locked down back then, never thought I'd see the API exposed like this.
I'm not excusing EA but I have worked on plenty of complicated microservice systems and it's not always so straight forward to change the structure of data in one place.
Eventually I read on a forum somewhere[1] that you could partly trick the system by temporarily closing your account and re-opening it, which got you a slightly larger 25MB. But still not the promised 250.
All this 2-4MB for existing accounts, 25MB for new accounts, and years-long rollout to 250MB gave the impression that finding spare storage was a huge struggle for Microsoft. Then a few months later they were having to compete with Gmail and they decided that everyone should get 2GB, which was rolled out to every Hotmail account including mine all at once! I can only assume aliens landed and delivered a UFO full of hard drives.
[1] Here's an example of an old forum post about the trick - complete with reply praising the brand new GMail: https://bimmersport.co.nz/topic/5232-hotmail-upgrade-2mb-to-...
If only they knew...
The third level of complication is to support China.
Perhaps I can answer a specific question or look for good pointers if you have a specific question about this?
Valve comes to mind: https://hackerone.com/valve?type=team
Just remembered: One thing I didn't like about e.g. Google's report mechanism is that it basically required a Google account. There were instructions for if you don't have one, but they didn't work (probably outdated) so you just have to agree with the extremely broad blanket statement that is the Google privacy policy. That could be something to avoid if you're setting up a policy of your own: don't require agreeing to wholly unrelated terms; hackers (in the HN sense of the word) sometimes don't take very well to that
A good experience I had was with Threema (private/encrypted chat application like Wire or Signal). The report process consisted of just sending a service account a chat message (probably there's also other ways), which was nice and easy. My report turned out to be mostly invalid (the risk was real but my imagined fix was flawed and it turned out contact discovery is a hard problem) but their answer was quick and thorough, I was impressed that they didn't just brush it off like so many orgs do.
Being on something like Hackerone, like Valve and Keybase, has pros and cons. I'm probably just old but it feels odd to me to let direct threats to your organisation be handled by a third party, sometimes even having them triage and decide whether to inform your org of a claimed vulnerability at all (recent story on HN; probably it works fine in 99% of cases), as well as it being an instance of having to sign up for something unrelated when I just want to ping an email address with the steps to reproduce. On the other hand, it standardises the whole thing so you know where to find different things if you use it more than the sporadic amount I have. I also wonder if this attracts the beg bounty hunters who see potential easy money, based on that the orgs on Hackerone seem to take reports less seriously when you didn't invest a ton of time in developing an exploit, or if the causality is reversed (maybe they chose Hackerone because they already had too many beg reports, hoping to be able to use accounts' reputation as an indicator for triage)
> I had found a way to obtain a privileged access token within the environment (a story for another day, but a certain game's executable had hardcoded credentials!), but I wasn't sure what I could do with it.
Can someone speak to this a bit more? I'm under the impression an executable binary shouldn't be easily read to find such credentials, and I don't know what else a game dev is supposed to do if their executable needs to authenticate itself with a remote server.
The main thing is that its privileged - having a token shouldn't let you do anything besides say, report your game stats to a central server or enumerate the server lists, things like that.
Games like Pokemon Go use a highly obfuscated algorithm to sign requests which makes it much harder to actually use the key if you can retrieve it
Why would you assume that? binaries are perfectly easily readable on non-locked-down platforms.
You'd have to have a system where the executable is encrypted and a secure part of the CPU die handle decryption against a private key, and even then it'd probably be only a matter of time before someone delidded the chip to get the key.
I thought too highly of modern compiler string literal obfuscation.
the what now?
Of course they can all be reverse engineered by hand, if you figure out the scheme used you can write yourself an IDA or Ghidra plugin/script to automate the process - which assumes that the method doesn't (subtly) change between different builds of the target. Or you can attempt to intercept memory accesses of the application. But that's tedious, annoying and complex busywork that no one really wants to do.
It's actually very easy to find string literals in executables because of this, not hard.
What the game dev is supposed to do is have an account system on their backend, and ask the player to enter their credentials in the game. The game can then identify itself as this player to the backend servers. That way any actions on the backend can be attributed to a particular player and you have a good basis to make security decisions on.
In client server architecture, the client is always untrusted. An executable shouldn't need to authenticate itself to the server. The executable should authenticate as a user or account using details provided by the person.
In cases like telemetry these endpoints usually accept unauthenticated or lightly authenticated data and perform layers of validation to prevent abuse (and are usually write/append only)
It's hard but not impossible. It's more annoying than trying to extract strings out of a minified js file, but far from impossible. There are tools for it (eg. IDA), so you're not searching for credentials amongst anything that vaguely looks like a string.
>and I don't know what else a game dev is supposed to do if their executable needs to authenticate itself with a remote server.
The problem isn't that that the binary has hardcoded credentials, it's that the credentials are privileged.
If the computer can read it, and you have full control of the computer, then you can read it. Physical access is game over. Even if they encrypt it and put the encryption key in an HSM (probably not possible on an arbitrary client's machine anyway), at some point the game is going to decrypt that string and put it in memory. Memory that you can read.
I am not a lawyer but I bet a sane judge would have little sympathy for a CFAA claim against your own account
The legally correct way to address throitallaway's problem is to sue EA to recover the money lost. In the US, this would likely qualify to be a small claims suit, which makes it feasible for a normal and nonwealthy person to do. Plus, when taking a large company to small claims court, the company often doesn't even bother to send a representative, in which case you win a default judgement. It's not an amount of money they really care about, and they know you still have to go to the effort to collect on the judgement.
So, like any sane person would, I overnighted an Xbox, installed Battlefield 2042, and waited for the moment of truth...
I was in!
From what I remember you need roughly one Blaze instance for 5k/10k players.
Attempting to integrate, post-ex-facto - infrastructure for a C++ API would return the PSN user id.
BTW, pro-tip when reversing APIs of popular services like this: use GitHub code search! Put some unique endpoint names into it and see what comes up. You’ll often find some kindred spirits who have hacked their own little API clients to do something you never even thought about, but which nevertheless helps you advance along your own quest…
[1] https://www.aftonbladet.se/nyheter/a/bK49Wq/han-kravs-pa-en-...
I legally/ethically/mentally cannot read this article but if its not related, there is more work to do.
Not that anyone should do it for EA, but for the collective they've swindled.
Played one of their high profile games daily for a while. It is literally a crap shoot day to day whether something works as in join a game.
Imagine the same on a big cloud. Oh sorry S3 storage...not happening today. We're just having an off day and decided we're not doing S3 today.
...that's how the gaming industry rolls. In infra world people would just laugh because it isn't a plausible scenario but in EA consumer world people call it Tuesday.
I assume they test in prod on their billion dollar title because it sure felt like a daily stream of nightly builds.
Can't believe that circus has a market cap of 40bn. You kidding me? Their launcher barely does what it says on the tin reliably - launch things