Origin exploit allows hackers to remotely attack other users' computers

Researches have found a vulnerable spot in the security of Electronic Arts' Origin service, putting more than 40 million users at risk of their computers being hacked remotely by third-party users, reports Ars Technica.

The bug, revealed last Friday in a demo at the Black Hat security conference in Amsterdam, allows hackers to take control of Origin users' computers, manipulating code that starts up games and using it to install malicious software. The exploit works on both Windows PC and Mac systems and can in some cases be executed without interaction from the computers' owner.

In the demonstration, researchers loaded a link to a Windows library containing malware to a computer running Crysis 3 through Origin. When the link was clicked, the malware was loaded onto the hardware.

"The Origin platform allows malicious users to exploit local vulnerabilities or features by abusing the Origin URI handling mechanism," Luigi Auriemma and Donato Ferrante, researchers at security assessment and research company ReVuln, wrote in a paper accompanying their demo. "In other words, an attacker can craft a malicious Internet link to execute malicious code remotely on [a] victim's system, which has Origin installed."

It is a "necessary evil" that leaves room for such an exploit.

AVG Technologies security advisor Michael McKinnon told Polygon that Origin's use of custom "URI" links allow users to cross seamlessly between web pages and the application, but it is a "necessary evil" that leaves room for such an exploit.

"This vulnerability stems from the fact that the Origin game launcher can be loaded using a link beginning with "origin://" and just like a more traditional "http://" link can be interpreted by a web browser by default," McKinnon wrote in an email. "Custom 'URI' links are not unique to Origin though and are used by many other common applications (albeit in a more secure way) such as Apple iTunes and Google Play, for example when viewing Mobile apps in their respective stores."

McKinnon also noted that the "origin://" link allows use of certain commands that make it easy for hackers to remotely control hardware.

"That is where the real damage is done," he said. "If they had put a little more thought into the security around those parameters — or whether they are really necessary, perhaps this would not have occurred.

"To protect themselves, users should be disabling the "origin://" link from being triggered in their browsers, although I suspect for many Origin gamers this might be impractical, so instead they could consider configuring their browser to prompt them instead," he added.

A representative from EA told Polygon the company is "constantly investigating hypotheticals like this one as we continually update our security infrastructure."