Forum Discussion

IvanDoomer's avatar
IvanDoomer
Seasoned Newcomer
30 days ago

Security Vulnerability Submission refused by EA

I am victim (and some other guys here on Reddit) by an (automated?) attack exploiting a vulnerability regarding EA accounts and validated email addresses.

Basically, if you change your account email address, your old address remains validated on EA database, anyone can create a new account using this address and it's not requiring any validation, the attacker can do any activity like playing online with cheats, scam, phishing without impact until its ban.

I reported the issue to https://www.ea.com/security/disclosure but I got an answer that it's not a security disclosure.

I also contested the ban (as I remain access to my old email address, I was able to reset the password and open the ticket), but it was refused, of course they do not even consider that it was a sec vulnerability.

So, be aware: If you change your EA email address, create a new account using your old address and let it abandon to not be used/exploited.

advice
discussion
feedback

4 Replies

  • EA_Darko's avatar
    EA_Darko
    Icon for Community Manager rankCommunity Manager
    30 days ago

    Hey IvanDoomer​ if you received a reply that it was not something that the security team recognises as a concern then this would be the case.

    What you are describing sounds less like a security issue on the EA side but rather an issue with your email being compromised. 

    Have you spoken with your email provider to ensure that you are the only one who has access to it?

    Darko

  • IvanDoomer's avatar
    IvanDoomer
    Seasoned Newcomer
    2 days ago

    Hi EA_Darko, I am an IT Sec guy with 25+ years of experience. My mailbox is not compromised, and its clear that we are talking about a weakness on email address verification workflow. Your sec team is not prepared to identify and work over sec issues, sorry.

  • vmwlj1odjym3's avatar
    vmwlj1odjym3
    Rising Newcomer
    2 days ago

    Hi EA_Darko​, I have the same problem. I’ve never had an EA account, but I just got a message saying I was blocked. I restored access using "Forgot password" and found out that my email was already verified. My mailbox has 2FA enabled, and I didn’t see any other sessions there. So, I agree with IvanDoomer​ that EA has a security weakness.
    I don’t expect much from EA about soution. I know you may never admit it and can still claim everything is fine, but the fact is that there is a problem.

  • EA_Darko's avatar
    EA_Darko
    Icon for Community Manager rankCommunity Manager
    2 days ago

    Issues with security on your email are something that you will need to address yourself.

    That our team got your report and investigated it without taking any further action would mean that they did not find any issue.

    Darko

     

About EA Community Discussion

Looking for a place to post? If your topic doesn’t fit in a specific game forum - whether it’s about EA accounts, general questions, or brainstorming ideas - this is the spot!2,679 PostsLatest Activity: 2 months ago