Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 2nd, 2008

Multiple Cross-Site Scripting Vulnerabilities on EA Websites

Multiple cross-site scripting (XSS) vulnerabilities threaten Electronic Arts  (EA) gamers due to a flaw on EA main website and numerous sub domains which inlcude profile and customer support areas. Malicious users might initiate series of phishing attacks, spam fake links and use these flaws to steal sensitive personal data such as authentication and payment credentials, game account passwords and also infect PCs with malware.

Although EA’s is a TRUSTe ( certified customer, there are old unfixed flaws that were reported long ago. TRUSTe is an independent website privacy monitor and it’s seal supposed to assure EA users of safety and security of their personal data.

Vulnerable EA websites include:
/scripts/”><script>alert(‘XSS’)</script> #2:
somepic.jpg%3E%3C/marquee%3E POST action=
linkcontinue&[email protected]&password=XSS&
account=0&migrateusername=%5BLjava.lang. String%3B%
%22% 2F%3E&migratepassword=&account=xbox&
src%3Dhttp%3A%2F%2Fgoogle.c om%3E%3C%2Fiframe%3E%3C
%3F%2F%3E&migratepassword=&acc ount=

Based on reports from XSSed. Credit for the discovery and report of these vulnerabilities to XSSed: Shocker<-at->, C1c4Tr1Z, mox, koolkeith12345, The Milk Man, x2Fusion, Arham Muhammad and Harry Sintonen.

Clarification (June 10): TRUSTe ensures certified privacy rather than protection against hacking or XSS. Consumers are able to rely on the TRUSTe certification and TRUSTe dispute resolution for any privacy issues they are having on websites that bear the TRUSTe seal. Security vulnerabilities fall outside the scope of what TRUSTe monitors.

Share this item with others:

More on CyberInsecure:
  • Apple Patches Multiple Vulnerabilities In Safari 3.1.1
  • Vulnerabilities In Both Principal London Mayoral Election Candidates Websites
  • Drupal Multiple XSS and Request Forgery Vulnerabilities
  • Hacked Obama Site Redirects Visitors to Clinton’s Site
  • Cross-site Scripting Vulnerability On Yahoo’s HotJobs Site Exposes Yahoo Accounts

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Multiple Cross-Site Scripting Vulnerabilities on EA Websites

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.