EA fixes auto-login URL bug which allowed access to Origin user account settings

EA pushed out an update to Origin earlier this month to fix a bug which allowed third-parties to collect user information from the settings pane via the EA Origin auto-login URL.

The bug made it possible to access account data when users logged into to their Origin client and requested to edit their account on EA.com.

When a user requests access in this manner, an auto-login URL pops up with a "token that is basically the equivalent of your active username and password."

The researcher, who goes by the name Beard online, explained an attacker could use this auto-login URL to gain user information through the settings panel. This not only includes the player's actual name, but the last four digits of their credit card, phone number, and other account information.

Beard noted some of the information could prove useless to the hacker, unless the party was able to guess the Origin user's security question and take over the account.

The danger with this bug was more prevalent when Origin users were logged into the client using an unsecured WiFi public network. Public networks used as an example included internet cafes, gaming conventions and esports competitions.

"I originally discovered the bug on October 1," Beard told ZDNet in an interview.

"If you're on an unsecured network or WiFi hotspot; like at a cafe or hotel, someone can easily grab these token auto-login URLs and basically log in as the end user who requested these token links."

Beard noted login tokens are usually tied to a user's IP address or stored cookie, but this was "not the case" with the EA Origin auto-login URL.

When reached for comment, an EA spokesperson confirmed the fix was applied in early November, and it had not found any instances of unauthorized use or access to subscriber data.