Full Report
Bug bounty is great for finding bugs that stem across multiple products at a company that have massive impact. This is one of those vulnerabilities on Electronic Arts. At the beginning of the article, they got access to one of EA's development environments for EA Desktop by finding a privileged access token in a games executable. But, they had no idea what this was used for or what they could do with it. They decided to scan for API documentation to see what this token could do. On /connect, they got a 404 HTML page with a server response that made it clear that this was a reverse proxy. When connecting to /connect/api-docs, no data was returned. This indicated that a different service must exist here. After some more fuzzing, they got a swagger file with some unexpected docs. EA Desktop has a GraphQL API called the Service Aggregation Layer to combine multiple backend APIs into one. The api-docs did not work on this site though, hiding a lot of routes. When querying on the testing environment, the routes are returned, giving us much more to work with. More recon! This API required a specific OAuth scope. After searching around, they found some creds that worked. After fiddling around for hours, they started messing around with the /identity/pids/{pidId}/personas/{personaId} API. What's a persona? It seems to be extended account information and settings like displayName. Given that they could update their status to be banned or unbanned, this seems like it was intentional to access. One of the fields was pidId for the account ID associated with this account. They decided to update this to their friend's account Id and their Steam ID. Shockingly, this worked and they had successfully gotten access to an EA account that wasn't theirs! Unfortunately, 2FA blocked the account takeover so now what? To work around this limitation, they could go the other direction! Instead of adding another Steam ID to their persona, they could add another Persona to their Steam ID! This gave them the ability to ban players, steal usernames and other things. Still, we had 2FA though... it was a trusted network thing. Eventually, they figured out a way around the trusted network. First, move an Xbox persona to another account that is trusted on your network. Next, log into an EA game on an Xbox using this account. Finally, login to the victims account on your network, since it is trusted from the Persona step. This leads to a complete account takeover, which is wild! With anything in life that is first come first serve, you need to do something better than everyone else - this is where the real work is at. In this case, the author of this post really did his homework on recon to open up new attack surfaces that others had not seen. The understanding of the underlying system to exploit this was pretty wild and time-consuming as well. Awesome bug report!
Analysis Summary
# Incident Report: Unauthorized Access and Account Takeover of Electronic Arts Accounts (via EA Desktop Vulnerability)
## Executive Summary
A security researcher discovered a severe vulnerability stemming from a privileged access token found within an EA Desktop executable. This led to the discovery of an exploitable GraphQL API endpoint that allowed unauthorized modification of account personas, including banning users and updating account attributes. The multi-step exploit chain ultimately permitted a complete takeover of target EA accounts, bypassed even 2FA through a "trusted network" manipulation technique.
## Incident Details
- Discovery Date: Unknown (Reported via Bug Bounty)
- Incident Date: Unknown
- Affected Organization: Electronic Arts (EA)
- Sector: Gaming/Technology
- Geography: Global (Affecting EA services)
## Timeline of Events
### Initial Access
- Date/Time: Undetermined
- Vector: Vulnerable executable file
- Details: Attackers obtained a privileged access token from an Electronic Arts (EA’s) games executable for EA Desktop.
### Lateral Movement
- Date/Time: Undetermined
- Vector: API Reconnaissance and Fuzzing
- Details:
1. Scanned for API documentation using the found token, identifying a reverse proxy at `/connect`.
2. Fuzzed endpoints to discover a hidden Swagger file revealing a GraphQL API known as the Service Aggregation Layer.
3. Determined the API required a specific OAuth scope, which was subsequently found (using unknown credentials).
4. Identified the API endpoint `/identity/pids/{pidId}/personas/{personaId}`.
### Exploitation & Impact
- Date/Time: Undetermined
- Vector: Direct API manipulation leading to Account Takeover (ATO)
- Details:
1. Initial exploitation allowed modification of persona data, including setting a user's status to banned/unbanned, and retrieving the internal Account ID (`pidId`).
2. **Account Impersonation:** The researcher successfully updated their own persona to use a victim's account ID/Steam ID, gaining unauthorized access to the victim's EA account (blocked by 2FA).
3. **Privilege Escalation (Persona Management):** The focus shifted to adding a *victim's* persona (and associated account status) to the researcher’s *own* Steam ID, gaining permissions like banning players and stealing usernames.
4. **2FA Bypass:** The final step involved bypassing 2FA by leveraging a "trusted network" established through a convoluted process: moving an Xbox persona associated with the victim's account to a researcher-controlled account already trusted on the attacker's network, which subsequently "trusted" the victim's account upon login.
### Detection & Response
- Date/Time: Undetermined (Vulnerability reported via Bug Bounty program)
- Details: The incident was disclosed through the bug bounty program, meaning detection was internal to the researcher, not an active intrusion defense system. No immediate organizational response actions are specified other than the successful reporting of the bug.
## Attack Methodology
- **Initial Access:** Privileged access token extracted from EA Desktop executable.
- **Persistence:** Not explicitly detailed, but exploitation relied on session access granted by the token.
- **Privilege Escalation:** Exploiting the GraphQL API to modify account attributes (persona data) that conferred administrative rights (e.g., banning) and allowed account linking/takeover capabilities.
- **Defense Evasion:** Bypassing Two-Factor Authentication (2FA) by socially engineering the "Trusted Network" mechanism via persona migration across accounts.
- **Credential Access:** Credential (OAuth scope) acquisition was necessary to access the primary API, found through "searching around."
- **Discovery:** Extensive API reconnaissance, endpoint fuzzing, examining 404/API documentation responses, and comparing testing environment documentation to production.
- **Lateral Movement:** Moving from initial token access to gaining administrative privileges over user accounts via trusted network status manipulation.
- **Collection:** Discovery of user settings, display names, and the ability to manage account status (ban/unban).
- **Exfiltration:** Complete account takeover capability achieved.
- **Impact:** Unauthorized access and control over user accounts, including the ability to ban users.
## Impact Assessment
- **Financial:** Not specified, likely internal remediation costs and potential future regulatory fines.
- **Data Breach:** Access to extended account information (personas) and potential for service disruption (banning users).
- **Operational:** Severe risk to service integrity and user trust due to full account takeover capability.
- **Reputational:** High potential for reputational damage given the severity of the account takeover vector discovered.
## Indicators of Compromise
- **Network Indicators (Defanged):** Any requests to `/connect`, `/connect/api-docs`, or unusual GraphQL queries executed against the Service Aggregation Layer API endpoints, particularly those referencing `/identity/pids/{pidId}/personas/{personaId}`.
- **File Indicators:** The original finding involved reading a specific EA Desktop games executable file for the token.
- **Behavioral Indicators:** Unusually high volume of API calls against personal identity/persona management endpoints; rapid sequence of Xbox game logins followed by PC logins attempting to leverage network trust status.
## Response Actions
*Note: As this was a bug bounty disclosure, formal remediation details are not in the summary, but these are inferred necessary actions.*
- **Containment:** Immediate disabling or restrictive access controls on the vulnerable GraphQL Service Aggregation Layer API, especially the persona management routes.
- **Eradication:** Patching the API logic to ensure persona updates are strictly authorized and restricted only to the owning account ID. Revoking leaked privileged tokens used for initial access.
- **Recovery:** Auditing all accounts affected by potential unauthorized persona modifications (e.g., any manually banned accounts). Resetting 2FA trust statuses where vulnerability was exploited.
## Lessons Learned
- **Deep Reconnaissance Pays Off:** The success hinged on deep, methodical reconnaissance (fuzzing, comparing environments) that exposed documentation hidden from standard inspection.
- **Privileged Tokens Must Be Secured:** Tokens embedded in executables, even if intended for development, pose an extreme risk if they grant access to critical backend services.
- **Abstraction Risks:** API aggregation layers (like GraphQL in this case) can hide dangerous endpoints if documentation or access controls are incomplete across the aggregated services.
- **Trust Mechanisms Require Scrutiny:** System trust mechanisms (like "trusted network" status) can introduce catastrophic security holes if they rely solely on network context rather than strong, persistent identity verification after initial entry.
## Recommendations
- **Token Management:** Implement strict lifecycle management for tokens used in distribution packages; tokens should have extremely limited scope and short expiration times, or not be present in client executables at all.
- **API Governance:** Implement rigorous access control validation on internal APIs, ensuring endpoints designed only for administrative use (like persona management) are not reachable via token/scope combinations intended for standard client usage.
- **2FA Hardening:** Re-evaluate the criteria for establishing "trusted network" status. This should require stronger verification checks (e.g., re-authentication or MFA prompt) if used to bypass existing 2FA controls.
- **Environment Parity:** Ensure development/testing environments do not inadvertently expose documentation (like Swagger files) that reveal routing structures not intended for public configuration.