I've been doing a little investigating into EA Download Manager (formerly known as EA Link) just out of curiosity. I found some interesting things too.
The login process is very simple. All that happens is the client opens a TCP connection to the server proxy.novafusion.ea.com on port 443 (ssl). After the client and server have done their SSL handshakes, it simply sends an http GET request for the following:
/cms/user?ea_email=user@email.com&ea_password=mypassword
So considering it's just a simple https connection... you can actually check passwords in your browser without having to write up any code. To do this, just goto:
https://proxy.novafusion.ea.com/cms/use ... mypassword and replace the the login credentials with your own.
There are a few responses you will get from what I have found. The responses come as an xml file, and contain extra junk.... but here are some strings in the response that you will find, and what they mean:
NO_SUCH_USER, if the account doesn't exist
VALIDATION_FAILED, found this when an email wasn't used, but instead just a regular username
MISSING_VALUE, when no email was entered at all
INVALID_PASSWORD, account exists but the password is bad
AuthToken, Activation Tokens, UserId indicate the login was valid.
The thing that is worrying is that the client doesn't check the actual certificate provided by the server. It simply uses whatever certificate is provided by the server to encrypt the data, and does not warn users for invalid certificates. So man in the middle attacks are possible. I know this because when reversing the ap, I set up my hosts file to connect to my home http server and use a certificate that I signed myself... and it still sends data. So basically, they only use ssl for the 'encrypting' of the data, but not at all to verify that it is actually an EA server.
Enjoy, hope this comes useful for someone :). Also, from what it appears there is no brute force prevention. Typical EA standards =\
