EA's Origin platform vulnerable to remote code execution attack

origin vulnerability
Martin Brinkmann
Mar 19, 2013
Updated • May 23, 2018
Security
|
1

Electronic Arts, one of the largest game publishers, has a lot of problems these days. First there was the Sim City fiasco where the company decided that it is more important to fight piracy and push micro-transactions than to provide users with a game that they can actually play.

Yesterday, company CEO John Riccitello announced that he would step down and while that is not necessarily related to Sim City or other issues the company is currently facing, it is a clear sign that things look dire for EA right now.

If that was not bad enough, it became known today that the company's digital distribution and game management platform Origin is vulnerable to remote code execution attacks. Security research company [Re]Vuln released a paper and demonstration video that explains in detail how Origin users may be attacked.

The basic idea behind the attack is the following. Origin, much like Steam, uses a protocol - origin:// - to launch games on local systems. These links can be shortcuts on the local system or displayed on websites on the Internet. Attackers can make use of that by manipulating the links to load remote payloads on local systems.

While this still means that users need to click on those links, it is likely that mass distribution, for instance via email or a popular website, can lead to a series of attacks on user systems.

The attacker needs to reference a game installed on the user's PC for the payload to be loaded on it. This can be easily done via a brute force type of attack as Origin accepts multiple game IDs listed in the launch url. To make matters worse, the payload can be started with silent commands.

The only workaround right now is to only run games right from within Origin and not from shortcuts or websites. This may limit the available launch parameters right now and if you can't abstain from using shortcuts or links, make sure you only execute them on sites that you trust. Even better, right-click those links and analyze them to make sure that they do not include remote payload commands (check the paper for how this looks like, basically, you should find an IP or domain name near the end that references the attack server).

EA is investigating the issue.

Advertisement

Related content

Intel

Microsoft publishes new Registry security mitigation for Intel processors (Spectre)

KeePassXC adds support for Passkeys, improves database import from Bitwarden and 1Password
Malwarebytes 5

First look at Malwarebytes 5.0
RustDoor malware targets macOS users by posing as a Visual Studio Update

RustDoor malware targets macOS users by posing as a Visual Studio Update
keys

KeePass 2.56 released: options search and history improvements
70 million account credentials were leaked in a massive password dump

70 million account credentials were leaked in a massive password dump

Previous Post: «
Next Post: «

Comments

  1. JohnMWhite said on March 19, 2013 at 11:47 am
    Reply

    DRM: putting paying customers in harm’s way since 2005.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Advertisement

Hot Discussions

Advertisement

Recently Updated

Latest from Softonic

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

The name and logo of Ghacks are copyrights or trademarks of SOFTONIC INTERNATIONAL S.A.
Copyright SOFTONIC INTERNATIONAL S.A. © 2005- 2024 - All rights reserved