Electronic Arts is not having the best of weeks. Just days after server problems led to widespread issues for people trying to play the new edition of Sim City, the company has come under fire for a potential security risk in its game platform Origin.
At the moment, the security flaw doesn’t appear to have been exploited for real, but security researchers have demonstrated how an attack could work.
Luigi Auriemma and Donato Ferrante of the ReVuln group discussed the issue in a recent paper and then showed off the technique at the Amsterdam date of the Black Hat security conference circuit.
Origin works in a similar way to Steam, using a main application to manage downloads and updates to games distributed via the Internet rather than on physical media. The security flaw involves the somewhat convoluted way this main application and the individual games interact on the user’s computer, designed to make DRM protection work better.
The set-up means the user opens the game itself, which in turn opens the Origin application. At this stage the game process closes and the Origin application runs the actual game.
As part of the set-up, the software uses a custom uniform resource identifier that begins with “origin://” and opens and runs specific games files. The problem is that the Origin set-up means it’s possible to create a modified uniform resource indicator that instead opens and executes a remote file or files.
Hackers would need to trick users into clicking on this custom uniform resource indicator, most likely through a bogus link on a webpage. One limitation is that a hacker needs to know the title of a specific game the user has on the Origin platform, though a brute force attack is possible to find this out.
Auriemma and Ferrante suggest disabling “origin://” links in your browser, or at the least setting it up to prompt you before following a link. They note that you can still run games by simply opening Origin rather than using desktop shortcuts to individual games, though this limits command line parameters.
EA hasn’t commented on the specifics of this case, but released a statement saying it is “constantly investigating hypotheticals like this one.”