Electronic Arts confirms the existence of one vulnerability on its platform after detecting security researchers that an unsuspecting gamer could be tricked into remotely executing malicious code on their computer.
The bug affected users Windows who had the Origin app installed. Tens of millions of gamers use Origin to purchase, access and download games. To facilitate access to the store of a single game from the web, the client has its own URL scheme that allows players to open the application and load a game from a webpage by clicking on a link to: // address .
Two security researchers from Underdog Security, found that the application could be tricked into running any application on the victim's computer.
Researchers have released the proof-of-concept code. The code allowed any application to run at the same level of permissions as the logged-on user.
In addition, a hacker could send malicious PowerShell commands, an embedded application often used by attackers to download additional malware, and eventually install a ransomware.
A malicious link could be sent as e-mail or registered on a web page, but could also be triggered if the malicious code was combined with a cross-site scripting exploit that automatically ran into the browser.
It was also possible to steal a user's account access token using a single line of code, allowing one hacker to access a user's account without needing his password.
EA spokesman John Reseburg confirmed that they are trying to find a solution on Monday.