Gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry after ignoring warnings from cybersecurity researchers in December 2020 that multiple vulnerabilities left the company severely exposed to hackers.
Officials from Israeli cybersecurity firm Cyberpion approached EA late last year to inform them of multiple domains that could be subject to takeovers as well as misconfigured and potentially unknown assets alongside domains with misconfigured DNS records.
But even after sending EA a detailed document about the problems and a proof of concept, Cyberpion co-founder Ori Engelberg told ZDNet that EA did nothing to address the issues.
Engelberg said EA responded with an acknowledgment of receiving the information on these vulnerabilities and said they would contact Cyberpion if they had any additional questions. But they never did.
.... But before the breach through Slack, Engelberg and his team had repeatedly warned EA that at least six -- now more than 10 according to Engelberg -- vulnerabilities left multiple domains and other assets free for the taking.
Domains like occo.ea.com were vulnerable to takeover and the Cyberpion team found 15 EA sites -- like wwe-forums.ea.com, api.pogo.com, and api.alphe.pogo.com -- serving login pages over HTTP.
Stats.ea-europe.com serves a mismatched certificate and its DNS record points to an IP address of a non-EA site while easportsfootball.it as well as easoweb01.ea.com serve certificates that expired seven and nine years ago, respectively.
read more (zdnet)
Officials from Israeli cybersecurity firm Cyberpion approached EA late last year to inform them of multiple domains that could be subject to takeovers as well as misconfigured and potentially unknown assets alongside domains with misconfigured DNS records.
But even after sending EA a detailed document about the problems and a proof of concept, Cyberpion co-founder Ori Engelberg told ZDNet that EA did nothing to address the issues.
Engelberg said EA responded with an acknowledgment of receiving the information on these vulnerabilities and said they would contact Cyberpion if they had any additional questions. But they never did.
.... But before the breach through Slack, Engelberg and his team had repeatedly warned EA that at least six -- now more than 10 according to Engelberg -- vulnerabilities left multiple domains and other assets free for the taking.
Domains like occo.ea.com were vulnerable to takeover and the Cyberpion team found 15 EA sites -- like wwe-forums.ea.com, api.pogo.com, and api.alphe.pogo.com -- serving login pages over HTTP.
Stats.ea-europe.com serves a mismatched certificate and its DNS record points to an IP address of a non-EA site while easportsfootball.it as well as easoweb01.ea.com serve certificates that expired seven and nine years ago, respectively.
read more (zdnet)
Last edited:
