A bug in EA’s game distribution platform, Origin allows hackers to hijack players PCs.

Today is proving to be an interesting day for EA. First they announce the list of games they are offering as an apology to gamers who suffered issues during SimCity‘s launch. Then, EA CEO John Riccitiello submitted his resignation. And now, we have a bug in Origin that allows attackers to access users’ computers remotely.

According to a demonstration at the Black Hat security conference in Amsterdam more than 40 million people could be affected by this. A paper written by ReVuln researchers Donato Ferrante and Luigi Auriemma to accompany the demonstration states:

Researchers from ReVuln also spoke with ArsTechnica about the bug, stating that it takes seconds to execute and in some cases doesn’t even require the user being attacked to interact with it, can be used to access both PCs and Macs. Essentially, it works by manipulating uniform resource identifiers on EA’s site to automatically start games on the victim’s computer, which allows the attacker to use Origin to install malicious files on them.

Haven’t we seen this before?

In October, the same research group demonstrated something similar with Valve’s store platform, Steam. Attackers could set up URLs starting with “Steam:// to fool applications into thinking they were accessing safe code. Users were advised to turn off the automatic launching of Steam URLs to avoid the exploit.

Origin’s works in a same way, by exploiting a function that allows sites to start games remotely.

EA response

An EA spokesperson sent an email to ArsTechnica saying: “Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure.”

The good news here is that at least it was researchers that figured it out first.