EA Origin Security Flaw Could Expose Tens of Millions of Players

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://techland.time.com/2013/03/19/ea-origin-security-flaw-could-expose-tens-of-millions-of-players/

When it rains, it pours: Electronic Arts, currently grappling with
game-breaking SimCity server issues as well as the surprise
resignation of CEO John Riccitiello, might have to add “millions of
players at risk of being hacked” to its list of woes.

It seems EA’s Origin gaming service may place tens of millions of
players (the service has around 40 million members total) at risk
thanks to a design flaw that allows a hacker to execute malicious code
on a targeted user’s system remotely. EA Origin is EA’s digital
distribution platform as well as anti-piracy mechanism, operating as a
sort of relay between players and EA’s game servers similar to Valve’s
older, more popular Steam service. EA games like DICE’s Battlefield 3
or EA Maxis’ SimCity require the EA Origin client to run, and it’s an
exploitable flaw in that process on Windows PCs, whereby the Origin
client employs web-like addresses to access games, that’s at issue.

The paper outlining the exploit, titled “EA Origin Insecurity (When
Local Bugs Go Remote.. Again),” was actually published in late
February, so it’s likely making waves now because of all this other
EA-related chatter — it didn’t just happen yesterday, in other words —
but it is worth being aware of what’s at stake, since EA hasn’t
addressed the problem, and there may be steps you can take to
safeguard yourself until they do.

The research team responsible for outing the exploit operates under
the company name [Re]Vuln Ltd. and consists of two people: one a
former security researcher for Research in Motion, the other
describing himself as an “independent security researcher.”

How does the exploit work? According to the researchers, if you’re
launching an EA Origin game from a website or desktop shortcut, a
hacker could abuse the “Origin URI handling mechanism,” meaning Origin
links styled by the URI handler as “origin://” plus game, game ID,
command parameters and an attacker’s payload. The exploit still
requires hackers suss your game ID, but if they do, they could easily
slip attack code in — say a remote DLL file — through the URI handler,
then use that code to crack open your system.

Assuming the exploit checks out — [Re]Vuln offers a video of the hack
as evidence and, according to the BBC, just demonstrated the attack at
the Black Hat Europe conference – the researchers advise using a
URL-blocker like URLProtocolView to impede Origin’s URI handler. While
this means you wouldn’t be able to run EA Origin games from shortcuts
or Internet sites with custom command parameters, the researchers say
you can still launch games securely from within the Origin game client
itself.

The researchers discovered a similar flaw in Valve’s Steam client last
October: URLs beginning “steam://” that allow hackers to slip in
malicious code. The bigger question, then, is why EA didn’t act last
year to address this. Also: why Valve hasn’t yet addressed the issue
with its apparently still-vulnerable Steam client.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.