There is simply no such thing as a perfectly secure digital system. Multibillion dollar companies like Sony have proven time and again that even after spending huge sums of money to build safe online entertainment stores and networks like the PlayStation Network, hackers will find a weakness in its façade. Electronic Arts has also spent a large sum of money to transform its multiple digital businesses into one all-encompassing network called EA Origin. It turns out that even Origin is exploitable, according to one security company.
Donato Ferrante and Luigi Auriemma of the security company ReVuln found that by manipulating the way Origin opens video games through its client—the application that people use on their PCs to purchase and play games through EA Origin—hackers could potentially trick people’s machines into launching malicious code. For example, a player firing up Battlefield 3 could instead accidentally launch a keylogger, a program that remotely records their keyboard inputs to reveal sensitive information. Hackers would already need to know personal information about a player’s Origin account for the exploit to work, but the pair said it would be easy to work around this since Origin doesn’t lock out an account if a user fails to enter the correct security information multiple times.
“An attacker can craft a malicious internet link to execute malicious code remotely on victim’s system which has Origin installed,” wrote ReVuln’s researchers.
EA told Ars Technica that it’s investigating the vulnerability and will attempt to fix it.
Many would-be contenders to Steam’s digital video game distribution crown have revealed themselves to be vulnerable in the past year. Shortly after changing its digital rights management network Uplay into a distribution channel for its games, Ubisoft discovered that it was also leaving its customers vulnerable to digital attacks. Uplay’s problem was actually much worse than Origin’s vulnerability, since the Uplay client was accidentally installing an exploitable plug-in on people’s PCs without their permission. “The browser plug-in that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they’re being made,” said Ubisoft in July 2012, “This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.”
ReVuln’s techs said that around 10 million customers were vulnerable thanks to the chink in EA Origin’s armor.