Comment by wavemode

Comment by wavemode 9 days ago

13 replies

View on Hacker News

Sometimes I wonder how it feels to be an engineer at such a company, having all your private APIs, weird bugs and dirty laundry aired in a public breach disclosure.

Though it's likely in a case like this, no single person was responsible for the vulnerability. Probably 5 or 6 different teams owned different parts of what he exploited (which is probably why the exploit existed in the first place - big complex system where everyone only understands their tiny piece of it).

sqeaky 9 days ago

On a team you are emotionally (or maybe even just financially) invested in it feels bad, but when I was at EA they almost worked hard to make it hard to become emotionally invested.

At a company the size of EA almost certainly this will be used to play politics and even if it hurts the company as a whole people will use it to have larger control over the now smaller company.

Reply View 0 replies
ponector 8 days ago

In a such large corpo no one gives a shit about it. It's just a job, to get a paycheck. They all are expendable resources, why to be invested emotionally into the job?

Reply View 1 reply
  • mdeeks 7 days ago

    I worked on the team that originally built Nucleus (which is the system this is proxying to) and we most definitely gave a shit about it.

    Systems are complicated and hard to keep in your head. Knowledge doesn't always transfer to other teams. Especially over 15 years. Sometimes you don't realize you've made an error.

    Most people are emotionally invested because they spent time and energy to build something and don't want it to be for nothing. Most people like to try to do the right thing.

    Reply View 0 replies
Daegalus 8 days ago

Well, as someone who worked in probably the same team that still manages this exact code 10 years ago, I can tell you that I quickly went through the article wondering if it was any of my code, or things I touched.

Back then the team was called Nucleus (hence in one of the responses in the article, the refType was NUCLEUS) who built and managed the backend api for Entitlements, Accounts, and Payments. It was a summer internship, so a year later when they offered me a position on the team, I stareted work there. By then the team was renamed EADP as it was slowly being merged with Origin (i forget what the DP meant, Data Platform?) hence one of the endpoints starts with `dp.`

Though, we did not have a GraphQL db back then, it was all Enterprise Java (OCI, Spring, Hibernate, etc) and some newer Groovy/SpringBoot stuff before I left. Running on datacenter servers (no cloud). But I worked on some fun things. I moved on from there after 2-3 years after some shit hit the fan, but I learned a lot of good backend dev back then from good engineers.

No clue what the team is like today, who the engineers are, or what is going on, but it is a shame to see something like this. We were very security conscious back then, and I even worked on a Bruteforce system to detect and handle bruteforce attempts on our login page. No clue if it is still active or running, but Security checks/reviews were part of our sprint task to reduce the chances and surface area of compromises.

Reply View 3 replies
  • mdeeks 7 days ago

    I was part of the original team that built Nucleus. It was very specifically an internal API that was never ever supposed to be publicly exposed. We were always very careful with it and did various things like requiring mutual TLS for clients. This was 15-ish years ago though. It's also hard to control what clients end up doing with your API. This reads like they proxied part of it to the public :(

    Reply View 2 replies
    • Daegalus 7 days ago

      We worked together for a while, if you are the same M. Deeks I worked with. I think you even interviewed me for the internship job originally.

      I agree that this looks like an accidental proxy of the API. Everything was so locked down back then, never thought I'd see the API exposed like this.

      Reply View 1 reply
      • mdeeks 7 days ago

        Yep, thats me! I just looked you up. Small world.

        Reply View 0 replies
Sparkyte 9 days ago

Bad, especially if you have no control because you don't work in that department but you know you could do better than that department.

Reply View 0 replies
captainkrtek 9 days ago

I would have a pit in my stomach if I read a post like that knowing I implemented those APIs

Reply View 2 replies
  • treflop 8 days ago

    What if you implemented the APIs but

    - someone else proxied your API to the public

    - someone else leaked credentials you assigned them in the public code of a game

    As someone working on a team that publishes APIs to the greater large organization, you can't trust other people. People be doing wild things.

    Reply View 1 reply
    • ryandrake 8 days ago

      I would hope that my employer had a postmortem culture that encouraged looking into every point of failure and identifying process changes that will prevent a repeat of the incident. Instead of pointing the finger at Team X who messed up and/or just "blaming hackers" and continuing on with your defective processes.

      Reply View 0 replies
nitwit005 8 days ago

Five or six teams is probably an underestimate if they had glued different games into the same system. EA has made a ton of games with online features, bought companies, etc.

The company I work for now likely has weaker security simply from having glued various acquisitions in. We have API endpoints specific to some of them.

Reply View 0 replies