- dotTech - https://dottech.org -

EA’s online video game service Origin is exploitable by bug that lets attackers remotely run malicious code

origin [1]

Video game publisher Electronic Arts recently  put out one of the bigger releases of the year in SimCity [2]. The game was plagued with launch woes and continuous server issues as it required an online connection to EA’s Origin service to function. It turns out that’s not the end of the bad news for EA and Origin users.

Security researchers from ReVuln have uncovered a pretty worrisome exploit in Origin that would allow hackers to remotely run malicious code on a user’s computer. To make matters worse, the method is not only fairly simple to execute, but takes mere seconds and in some cases doesn’t need interaction from the victims.

Hackers would theoretically be able to exploit Origin’s uniform resource identifier — this could either be a link on a website or even a local desktop shortcut. The URI is used to do things like launch Origin itself or the games within Origin, like the aforementioned SimCity. The problem here is that someone with malicious intent could add instructions to that URI — perhaps to download or run malicious software — and disguise it as an innocent link or shortcut to Origin or one of its games. Joystiq notes that URI’s aren’t unique to the EA service, and are used in other mainstream services like iTunes as well.

Fortunately for the security-conscious gamers out there, preventing this from happening is just as easy. Simply launch Origin first and launch (or buy) your games from within the application, not from links you find online.

Thankfully, EA says they’re working on it: “Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure.”

[via Ars Technica [3], Joystiq [4]]