1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Greetings Guest!!

    In order to combat SPAM on the forums, all users are required to have a minimum of 2 posts before they can submit links in any post or thread.

    Dismiss Notice

EA Origin vuln puts players at risk

Discussion in 'UHall' started by Winter, Mar 19, 2013.

  1. Winter

    Winter Lore Keeper

    Joined:
    Mar 19, 2013
    Messages:
    996
    Likes Received:
    716
    New article on EA Origin accounts

    A flaw in EA's Origin game store puts its 40 million or so users at risk of remote execution vulnerabilities
    The vulnerability was described by security researchers Luigi Auriemma and Donato Ferranta of ReVuln, in a paper released on Saturday.

    ...

    At the time of writing, EA had not responded to our requests for further information. This news comes alongside the abrupt departure of EA chief executive John Riccitiello. ®
     
  2. Crysta

    Crysta Babbling Loonie
    Stratics Veteran Alumni

    Joined:
    May 12, 2008
    Messages:
    2,418
    Likes Received:
    73
    Well, guess that's good news for most of us at least. Glad they never hooked UO into it.
     
  3. Lord Frodo

    Lord Frodo Grand Poobah
    Stratics Veteran

    Joined:
    May 12, 2008
    Messages:
    5,838
    Likes Received:
    2,324
    Origin works by using uniform resource identifiers (URIs) to authenticate and initiate games on players' machines. The attack works by spoofing the URI via an URL on a third-party website, so that when a person clicks it, Origin silently opens and loads a file onto the users' machine.

    And this affects UO how.
     
  4. Winter

    Winter Lore Keeper

    Joined:
    Mar 19, 2013
    Messages:
    996
    Likes Received:
    716
    It doesn't. But if you had read the rest of the article, you would see that it affects any log in or link to Origin.... like the Origin store, accounts linked to Origin, etc. Or isn't that relevant?

    "But the way the software authorizes players can also be used to hijack computers and install malicious software, the researchers found.
    "The Origin platform allows malicious users to exploit local vulnerabilities or features, by abusing the Origin URI handling mechanism," they write. "In other words, an attacker can craft a malicious internet link to execute malicious code remotely on victim’s system, which has Origin installed."
     
  5. Llewen

    Llewen Grand Inquisitor
    Professional Stratics Veteran Stratics Legend Campaign Supporter

    Joined:
    Mar 3, 2006
    Messages:
    4,699
    Likes Received:
    200
    EA should have swallowed it's pride and made an agreement with Valve to use Steam as it's digital content delivery vehicle. There was no reason to reinvent the wheel and force their clients to have multiple instances of similar systems installed. And that's not even considering the horrific farce the Origin content delivery system has been since day one.
     
    MalagAste and Viper09 like this.
  6. Lord X

    Lord X Sage
    Stratics Veteran

    Joined:
    Apr 10, 2007
    Messages:
    698
    Likes Received:
    114
    Not to mention that at least with Steam, there would be a little bit of advertising for UO.
     
  7. Aurelius

    Aurelius Babbling Loonie
    Stratics Veteran Stratics Legend

    Joined:
    Feb 26, 2004
    Messages:
    2,756
    Likes Received:
    689
    For clarity though, the issue as described is entirely with the Origin 'platform software', there has been absolutely NO demonstration that simply using the Origin store webpage is compromised in any way. There's a possible method, which might work but needs a fair amount of other things happening to function.
     
    #7 Aurelius, Mar 20, 2013
    Last edited: Mar 20, 2013
  8. Aurelius

    Aurelius Babbling Loonie
    Stratics Veteran Stratics Legend

    Joined:
    Feb 26, 2004
    Messages:
    2,756
    Likes Received:
    689
    While I agree they should have been less keen ion 'inventing the wheel' and making their own store, just to quote from the full paper about the Origin insecurity that kicked this conversation off,

    "As we have demonstrated for Steam in our previous paper, Steam Browser Protocol Insecurity, almost the same design problem applies for Origin "
     
  9. Winter

    Winter Lore Keeper

    Joined:
    Mar 19, 2013
    Messages:
    996
    Likes Received:
    716
    I disagree with your first statement in that there is never a demonstrated vulnerability until someone actually makes a virus/trojan out of it. So, that statement really makes no sense in that the vulnerability is still there.

    Now, I do agree that it would take a fair amount of work and just the right amount of clicking to get the vulnerability to work, but all it takes is one exploit to spread it even further if the exploit designers are clever - it's a shotgun approach, but happens all the time when there are hundreds of million users. Or in this case, 40 million Origin store users.

    I'm just saying, the more these kinds of vulnerability get noticed, the faster a fix gets posted. Account Center down for maintenance? Probably not this, but who knows?
     
  10. Llewen

    Llewen Grand Inquisitor
    Professional Stratics Veteran Stratics Legend Campaign Supporter

    Joined:
    Mar 3, 2006
    Messages:
    4,699
    Likes Received:
    200
    Good catch, but from years of experience with both Valve and EA, I trust Valve to quickly, and competently, fix a vulnerability far more than i do EA. But anyway, enough EA bashing. I'm sure that the upcoming account management maintenance includes a fix for this vulnerability. Even EA isn't going to let something like this go without doing everything possible to fix it as quickly as possible.
     
    #10 Llewen, Mar 20, 2013
    Last edited: Mar 20, 2013
  11. Aurelius

    Aurelius Babbling Loonie
    Stratics Veteran Stratics Legend

    Joined:
    Feb 26, 2004
    Messages:
    2,756
    Likes Received:
    689
    Fair enough, but as it's still only at 'proof of concept' and is a variant on a similar technique they identified for Steam, but which seems to have been either disabled or not been 'exploited' as a vulnerability (as far as anyone seems to know), I'm not overly concerned for folks who only use the online 'store' part of Origin - but if I had downloaded the full package I'd certainly be disabling the less secure elements until I was certain EA had addressed them.
     
  12. Aurelius

    Aurelius Babbling Loonie
    Stratics Veteran Stratics Legend

    Joined:
    Feb 26, 2004
    Messages:
    2,756
    Likes Received:
    689
    I agree, the track record of EA on fixing things properly is not impressive, but as I just posted in reply to Winter, I don't feel too concerned just yet as a simple 'buyer' on the Origin stores... and as you say, even EA can't afford this sort of potential for another bad publicity day, especially right on the heels of Sim City ;)