Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bug bounty is great for finding bugs that stem across multiple products at a company that have massive impact. This is one of those vulnerabilities on Electronic Arts. At the beginning of the article, they got access to one of EA's development environments for EA Desktop by finding a privileged access token in a games executable. But, they had no idea what this was used for or what they could do with it.

They decided to scan for API documentation to see what this token could do. On /connect, they got a 404 HTML page with a server response that made it clear that this was a reverse proxy. When connecting to /connect/api-docs, no data was returned. This indicated that a different service must exist here. After some more fuzzing, they got a swagger file with some unexpected docs.

EA Desktop has a GraphQL API called the Service Aggregation Layer to combine multiple backend APIs into one. The api-docs did not work on this site though, hiding a lot of routes. When querying on the testing environment, the routes are returned, giving us much more to work with. More recon!

This API required a specific OAuth scope. After searching around, they found some creds that worked. After fiddling around for hours, they started messing around with the /identity/pids/{pidId}/personas/{personaId} API. What's a persona? It seems to be extended account information and settings like displayName. Given that they could update their status to be banned or unbanned, this seems like it was intentional to access.

One of the fields was pidId for the account ID associated with this account. They decided to update this to their friend's account Id and their Steam ID. Shockingly, this worked and they had successfully gotten access to an EA account that wasn't theirs! Unfortunately, 2FA blocked the account takeover so now what?

To work around this limitation, they could go the other direction! Instead of adding another Steam ID to their persona, they could add another Persona to their Steam ID! This gave them the ability to ban players, steal usernames and other things. Still, we had 2FA though... it was a trusted network thing.

Eventually, they figured out a way around the trusted network. First, move an Xbox persona to another account that is trusted on your network. Next, log into an EA game on an Xbox using this account. Finally, login to the victims account on your network, since it is trusted from the Persona step. This leads to a complete account takeover, which is wild!

With anything in life that is first come first serve, you need to do something better than everyone else - this is where the real work is at. In this case, the author of this post really did his homework on recon to open up new attack surfaces that others had not seen. The understanding of the underlying system to exploit this was pretty wild and time-consuming as well. Awesome bug report!