Yesterday, a vulnerability in the E3 website was publicly detailed by a third party. The ESA, however, says that it was been aware of the issue and has taken immediate action to avoid any confusion.
Back in 2019, a vulnerability in the E3 website resulted in the personal information of more than 2,000 members of the media being leaked to the public. The Electronic Software Association — the organization that runs E3 — was condemned for the security vulnerability and the organization pledged to ramp up its security going forward; our first hints of these improvements were revealed in a leak last year.
Concerns about the site’s security came to mind yet again when a ResetEra thread detailed a new potential issue. According to that thread, Electronic Arts’ “Red Team” had left its calling card on the E3 website. A Red Team is a group of security researchers that deliberately tries to break into a secure facility or website for the purposes of discovering (and ultimately fixing) any vulnerabilities.
In this instance, EA’s Red team left its logo on the area of the website in question to prove that it was able to break in — and man, does it look cool.
The vulnerability in question could potentially allow a subdomain takeover attack. In layman’s terms, this would mean that a malicious third party couldn’t take over “e3expo.com”, but they could take over something like “subdomain.e3expo.com” and use it for whatever nefarious purposes they’d like to.
The ResetEra thread notes that the subdomains admin.e3expo.com and vip.e3expo.com had been marked with the logo of EA’s Red Team, signaling that they were able to break into these portions of the E3 website. What this means is that it appeared there still was a potential vulnerability on the website as of yesterday, but it looks like this issue has now been resolved.
ESA Addresses E3 Website Vulnerability Discovered by EA’s Red Team
We reached out to the ESA about this E3 website vulnerability. To their credit, the organization responded with a statement (and more importantly, tangible action) in just a few short hours. It should be noted that much of the organization had time off for President’s Day 2021.
Here’s what the ESA had to say about this particular issue:
The ESA continues to enhance its security processes across the organization, which includes working regularly with its members and outside experts to ensure data and information security are a top priority. This is just an example of that process at work. This potential vulnerability was identified last fall and immediately resolved. The subdomains referenced in the forum pose no existing threats. To avoid any further confusion, we will immediately delete these subdomain folders.
This particular subdomain takeover vulnerability does not appear to have been an actual threat — after all, a Red Team discovered it and almost certainly reported it to the organization, allowing the ESA’s website team to fix the underlying problem. The subdomains captured by the Red Team now lead to blank pages now as per the ESA’s statement.
ESA’s response was quick and the involvement of EA’s Red Team shows that it’s making serious efforts to enhance its security. Website security is an ongoing battle, and the ESA’s actions here show a serious commitment to resolving the issues that led to 2019’s leak of personal information.
Are you still concerned about the security of the E3 website? Do you think companies need to do more to protect private information? Let us know in the comments below!