A vulnerability was found in Electronic Arts’ Origin platform, launchpad for popular titles like Apex Legends and FIFA 19. The flaw could be used to trick gamers into running malicious code on their computer. It has since been fixed.
URL handler issue allowed full access
In the fight for gamers’ attention (or at least their purses), more and more publishers are erecting their own digital storefronts. Epic Games’ recent taking on of Valve’s Steam hegemony has been well publicized, but it is only one example. On PC alone we now have over a dozen such offerings, ranging from Activision Blizzard’s Battle.net to Discord’s recent addition to the field.
Sadly, it appears that these walled gardens more often than not have their gates left wide open. In the latest such case, two security researchers found that EA’s Origin client could be remotely tricked into running any application on a victim’s computer. Even worse, by using built-in tools, it could be made to download malicious components like ransomware. It was also possible to take over the user’s Origin account completely.
Cause of the flaw appears to be the handler for custom origin:// addresses. If a user could be made to click a specially-crafted link, the attack could be carried out. EA has confirmed that a fix for the problem, which only affected the platform’s Windows client, was deployed on Monday.
Mo’ stores, mo’ problems
In January this year, a security hole was found in Epic Games’ infrastructure that could steal accounts as well, and last month a similar problem was found in Steam’s server browser. These are far from the only examples, however, making us wonder if everyone really should be having a go at building a cloud platform of their own in the first place.
In the meantime, it bears repeating that you should never click suspicious links, doubly so if received from unknown sources. This particular hole may have been shored up, but it seems unlikely that it will be the last such.