Launching Origin on your PC by clicking random links in your browser may not be such a great idea.
EA’s online store Origin doesn’t exactly resonate with core gamers compared to other digital delivery platforms, such as Steam. Unfortunately for EA, it looks like there is one more reason to be wary of its electronic marketplace: a security research company has identified an exploit in the Origin platform that could potentially allow an attacker to execute malicious code on a player’s computer.
Researchers from ReVuln, based in Malta, published the findings in a white paper last month. The exploit focuses on Origin’s use of uniform resource identifiers (URIs), which the program uses in order to enforce DRM protection of its games. ReVuln proposed that malicious users could exploit local vulnerabilities or features by abusing the URI mechanism, such as by creating a malicious internet link that could execute code remotely on a system.
The security researchers recently demonstrated the exploit at a Black Hat security conference in Amsterdam on a system with Origin and Crysis 3 installed. By clicking on a modified URI within a web browser, the researchers were able to run a compromised DLL file on the computer as the game was launching. ReVuln also discovered that attackers could attempt to launch a list of games by brute force, allowing the attacker to exploit a system without knowing what games are available in the victim’s account.
This isn’t the first time that ReVuln has come across this issue, though: the company identified the same vulnerability in Steam’s browser protocol and its use of steam://, which closely resembles the issue found in Origin.
To counter the exploit, ReVuln recommends globally blocking the origin:// URI using a tool such as urlprotocolview. Alternatively, whenever your browser prompts you to always associate origin:// links with the program, you can choose to ignore the suggestion, so you have more control over Origin’s execution if something unexpected happens.
An EA spokesman responded to Ars Technica in regards to the vulnerability, saying that “Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure”.