According to Cyber News, game-developer-turned-white-hat Sean Kahler uncovered a vulnerability in Electronic Arts’ (EA) account system that allowed any of the company’s roughly 700 million user accounts to be accessed without authorization—including detailed game statistics.
The flaw began with hard-coded credentials Kahler found in “an executable belonging to a certain game.” Using those credentials, he obtained a privileged access token inside EA’s developer testing environment. After scanning exposed documentation and poking around, Kahler located an internal service whose API endpoints were publicly reachable.
This internal API governs the “persona” objects that represent individual player profiles. Kahler first demonstrated impact by changing an account’s state to “banned,” instantly locking its owner out of every EA game. The same API also permitted linking a Steam account to any EA account.
Kahler then realized the full scope: if he could transfer his own linked account to any EA account he chose, he could simply log in through that linked account and gain full control of the target EA account. Repeating the trick with an Xbox account let him log into another user’s games—such as Battlefield 2042—from a console without ever supplying a password or second factor.
In short, the exposed API let an attacker:
- Steal usernames and game data
- Move their Xbox (or other platform) persona into a victim’s EA account and log in as that user
- Change usernames, ban or un-ban accounts, block players from titles, or lift suspensions—all without any user interaction
Kahler responsibly disclosed the vulnerability to EA on 16 June 2024. EA acknowledged the issue, rated it critical, and rolled out a series of five patches between 7 July and 8 October 2024 to eliminate the flaw.
