When it rains, it pours: Electronic Arts, currently grappling with game-breaking SimCity server issues as well as the surprise resignation of CEO John Riccitiello, might have to add “millions of players at risk of being hacked” to its list of woes.
It seems EA’s Origin gaming service may place tens of millions of players (the service has around 40 million members total) at risk thanks to a design flaw that allows a hacker to execute malicious code on a targeted user’s system remotely. EA Origin is EA’s digital distribution platform as well as anti-piracy mechanism, operating as a sort of relay between players and EA’s game servers similar to Valve’s older, more popular Steam service. EA games like DICE’s Battlefield 3 or EA Maxis’ SimCity require the EA Origin client to run, and it’s an exploitable flaw in that process on Windows PCs, whereby the Origin client employs web-like addresses to access games, that’s at issue.
The paper outlining the exploit, titled “EA Origin Insecurity (When Local Bugs Go Remote.. Again),” was actually published in late February, so it’s likely making waves now because of all this other EA-related chatter — it didn’t just happen yesterday, in other words — but it is worth being aware of what’s at stake, since EA hasn’t addressed the problem, and there may be steps you can take to safeguard yourself until they do.
The research team responsible for outing the exploit operates under the company name [Re]Vuln Ltd. and consists of two people: one a former security researcher for Research in Motion, the other describing himself as an “independent security researcher.”
How does the exploit work? According to the researchers, if you’re launching an EA Origin game from a website or desktop shortcut, a hacker could abuse the “Origin URI handling mechanism,” meaning Origin links styled by the URI handler as “origin://” plus game, game ID, command parameters and an attacker’s payload. The exploit still requires hackers suss your game ID, but if they do, they could easily slip attack code in — say a remote DLL file — through the URI handler, then use that code to crack open your system.
Assuming the exploit checks out — [Re]Vuln offers a video of the hack as evidence and, according to the BBC, just demonstrated the attack at the Black Hat Europe conference – the researchers advise using a URL-blocker like URLProtocolView to impede Origin’s URI handler. While this means you wouldn’t be able to run EA Origin games from shortcuts or Internet sites with custom command parameters, the researchers say you can still launch games securely from within the Origin game client itself.
The researchers discovered a similar flaw in Valve’s Steam client last October: URLs beginning “steam://” that allow hackers to slip in malicious code. The bigger question, then, is why EA didn’t act last year to address this. Also: why Valve hasn’t yet addressed the issue with its apparently still-vulnerable Steam client.