قالب وردپرس درنا توس
Home / Technology / Security companies demonstrate subdomain hijack exploit against EA / Origin

Security companies demonstrate subdomain hijack exploit against EA / Origin



Israeli security firms Check Point and CyberInt have teamed up this week to find, exploit and demonstrate a nasty security hole that allows attackers to kidnap player accounts in EA / Origin's online games. The exploit concatenates several classic types of attacks – phishing, session hijacking, and cross-site scripting – but the main flaw that makes the whole attack work is the poorly maintained DNS.

This short video clip takes you through the process: you can fish a victim, steal your account token, access your account, and even buy in-game items with your saved credit card. (You may want to mute before pressing the play button, the background music is loud and uncomfortable.)

If you have a reasonable eye for Infosec, most of the video speaks for itself. The attacker fishes a victim via WhatsApp to click on a dubious link, the victim clicks on the shiny link and becomes obsessed. The stolen credentials are used to damage the victim's account.

What makes this attack different-and far more dangerous-is the possession of an attacker on a Web site hosted on a valid, working, subdomain of ea.com. Without a real subdomain, the victim would have logged into the attack on a fake EA portal and received a password. This would have immensely increased the likelihood of the victim becoming aware of fraud. The working subdomain enabled the attacker to retrieve the authentication token from an existing active IO session before exploiting it directly and in real-time.

Speaking today with Alex Peleg of CyberInt and Oded Vanunu of Check Point in a conference call That was really all I wanted to know ̵

1; how did you even get control of this EA subdomain? According to the two researchers, this is a fairly common mistake. A big company launches a new marketing campaign, uses a development team to do the necessary programming, and gives the team a new subdomain – like eaplayinvite.ea.com – to run the campaign. The development team launches new instances in AWS, Google Cloud, or a similar vendor and then uses a CNAME record to connect the corporate subdomain to an on-premises A record on the host. When the marketing campaign ends, AWS or another cloud instance shuts down … but no one tells the team that manages the company's main domain to remove the CNAME record. Here things are going sideways.

dig to find out all sorts of interesting things about an FQDN. "> <Img alt =" You can use the DNS command-line tool dig to search here Find all sorts of interesting information about a FQDN. "src =" https://cdn.arstechnica.net/wp-content/uploads/2019/06/Screenshot-from-2019-06-25-18-30-18- 640×222.png "width =" 640 "height = "222" srcset = "https://cdn.arstechnica.net/wp-content/uploads/2019/06/Screenshot-from-2019-06-25-18-30 -18.png 2x" /> [19659007] / Using the DNS command-line tool dig you can find out all sorts of interesting things about a fully qualified domain name.

Jim Salter

An attacker interested in the company may find that that a new subdomain has been started, and then use the dig tool to check how the company was hosted. If you are redirecting to the internal DNS of a cloud provider, you must first wait for the marketing campaign to finish the URLs involved in the campaign no longer work, now we re-dig the subdomain name – if the original CNAME intak t is, we are in business. Next, the attacker uses a separate account with the same cloud provider and requests the same in-supplier DNS name originally used by the campaign.

At this time, the original CNAME now points to the attacker's website, not a website controlled by the actual company. Equipped with a working subdomain of the company's real domain, cookies can be captured (and embedded) by the company's users. This allows for instant attacks compared to victims who use the company's services.

In this case, Alex and Oded launched a phishing attack on WhatsApp, but a more entrepreneurial attacker could have instead launched a water-hole attack. Imagine, a serious attacker bought HTML-enabled ads from a banner farm designed specifically for EA gamers. The ad may open an invisible iframe on the abducted subdomain. Such an iframe could automatically retrieve the authentication tokens of all registered players without the user having to do anything.

There are countless possibilities.

According to Alex and Oded, the kind of oversight that's here of EA / The Origin is depressing in big companies. Devops teams do not talk to Infosec teams, nor do more traditional operations teams that manage core services such as company-wide DNS, and they fail. Researchers – and their companies – hope that public demonstrations like these will wake up big companies, destroy silos, and ultimately make end user accounts less vulnerable to hacking.

Listing image by Yosa Buson


Source link