Origin exploit discovered

Electronic Arts' virtual marketplace reportedly at risk from loophole that could swap games for malicious code.

by

An Origin exploit has been discovered that allows hackers to swap games for malicious code, the BBC reports today. Researchers at security company ReVuln found the loophole, which stems back to the way the service launches games.

"Like many other programs, Origin uses a web-like syntax to keep track of the places games are found on a computer so they can quickly be started when people want to play," the BBC wrote. "The two researchers found a way to subvert this syntax to make it point to malicious code instead of a game."

EA confirmed to Ars Technica that it is investigating the exploit, though there is no evidence that the loophole has been manipulated by hackers.

"Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure," an EA representative told the site.

ReVuln researchers demonstrated the hack during the Black Hat Europe conference recently, showing off a Windows PC running Crysis 3 that was subsequently taken over by the attack code.

SimCity's record-breaking launch this month helped push Origin to a new concurrent peak user milestone of 1.3 million. The service has 39 million members as of December 31, though this figure is actually over 40 million when SimCity's 1.1 million sales are factored in.

Discussion

125 comments
fire12135
fire12135

Damn I kinda like origin. Before I get horribly murdered by the community, Steam isn't any better. They have performance issues and a mess up UI (Forget Big Picture). Origin at least has a cleaner UI, runs slightly better and has features like the origin web browser or twitch broadcast.

91210user
91210user

The CEO has resigned, I think Origin put the exploit there on purpose!

Atombomb1981
Atombomb1981

EA should drop Origin before the whole ship sinks. I bought a single game that uses Origin and I still regret my purchase to this day, despite the fact it's a great title, simply because of the DRM, which I find offensive as a paying customer.

TrueGB
TrueGB

Wait a minute...this isn't the work of hackers? Some security firm did their jobs by finding an exploit and repairing it? We're not even sure someone actually used this exploit? Sensationalist reporting. Peroid.

LimeDudeZ
LimeDudeZ

Ea should finally fix the instable Origin servers. I can't play any game online that uses Origin for more than 20 mins.

Thanatos2k
Thanatos2k

Now I hate EA more than the next guy, but this has little to do with Origin.

The summary is "If you let someone compromise your computer, they can then use Origin to compromise your computer."

Hackers can't magically replace the URIs on your computer with something else.  You need to have clicked something, downloaded something, run something that allows them to do it.

And if you've done that, you're already done and infected.  What does it matter if they can then make Origin do interesting things?  They already have your computer.

Origin really has nothing to do with it. If you are connected to the internet your computer is vulnerable.  It's not EA's fault you have no idea how to use the internet safely.

By the way. Steam has this exact same "exploit."

rudyv30
rudyv30

There's alot of games I'm seriously considering during this "Customer Appreciation" Sale aka "we're really sorry we suck but we need to make our quarter look good" sale but until this is fixed, aint no way I'm giving them a single cent!

Skrilla_XS
Skrilla_XS

"The service has 39 million members as of December 31, though this figure is actually over 40 million when SimCity's 1.1 million sales are factored in." - That makes no sense unless everyone who purchased sim city never had origin ever. I noticed that I have an Origin account from playing BF3 on PS3, even though I don't have the program on my PC. And also no longer have BF3 or any other EA game. A lot of these figures are completely bogus.

pwc2
pwc2

EA why do you do this? I like many of your games, but I dislike how you're running your business..

yourdem1ze
yourdem1ze

Remember you could open a CD-rom on a player who was in a counter-strike 1.6 server lol

MadCityTech
MadCityTech

Mommy, why is EA so mean to me? Why do they treat me so bad? Mom: Don't let them bully you, you're better then them, stand up for yourself and hit them where it hurts. Mommy, what should I do? Mom: Stop asking me to give you money to buy there products. Ok mommy! I love you!

thorn3000
thorn3000

they forgot to add they identified a similiar exploit with Steam last year

fanirama
fanirama

Does Origin have offline mode like Steam? In steam, I can go offline once and continue to play almost all games (save a few like Dark Souls which needs GFWL which needs you to log in to save the damn game. It is tough already and this makes it worthless). 

Actually, best is Amazon because they just give you the installer which you can use to install and play the game without any launcher crap like Steam or Origin.

So, Amazon > Steam =~ Origin  in terms of DRM.  However, I must note to be honest that I have 2 Amazon games, about 150 Steam games and 0 Origin games thus far. I like Steam a lot now because it feels convenient although it still is DRM, not unlike Origin.

AlphaWolF_J
AlphaWolF_J

Already Uninstalled 4 days ago with bf3 when it tried to force me to download yet another  stealth DLC, pretending to be a game update. 

frak origin frak EA 

IM OUT permanently 



lets all try a social experiment and bring down origin for good!! by uninstalling the thing!!!!

TwilightPhoenix
TwilightPhoenix

Wait, wait wait...  39 million as of December and somehow Sim City pushed it above 40 million just off of its sales alone.  So, you're either telling me that everyone who purchased Sim City has never used Origin before or you all* are using phony math to artificially inflate user numbers to look better.

*As in, most companies, not just EA or GS.

blackace
blackace

Wow, I can't believe 39+ million gamers like to pay full price to rent their games using Origin. So when Origin goes away, how many people will have lots of games on their PC that won't launch? 

As for this malicious code. Really, does this surprise anyone. EA likes to pat themselves on the back. That's the only reason why this is news. I guess they are trying to send a message to hackers. Why else would this be sent out to gaming sites?

somberfox
somberfox

Why are they publicizing this? It's like they're just asking for someone to cause trouble.

DarpSyX
DarpSyX

and they offering a free game for those who bought SimCity... let's see how that goes... xD

ken_wakashimazu
ken_wakashimazu

EA this month:


simcity launch fiasco

maxis' lucy bradshaw lies several times to its customers

 EA's CEO gets fired

Origin has malicious code in it

great job guys, keep up the good lols

Shielder7
Shielder7

Malicious code and Origin are one in the same.

WingChopMasta
WingChopMasta

Finally! Its good to see these brutal publishers start to fall. I am sick of seeing good pubs fail whilst these fools reign supreme. I can not wait until they have to sell off all of their awesome dev companies to better pubs with less idiots pulling the strings. 

nothingman97
nothingman97

Breaking News:  Eddie has a security loophole.  Like many other people, he carries his wallet in his pants pocket.  Researchers found a way to beat him up and remove the wallet from his pocket, replacing it with something far more sinister, like grape jelly.

KamuiFei
KamuiFei

John Riccitiello must be laughing his ass off right now.

KaSeRRoR
KaSeRRoR

Origin & EA have their ups n' downs just like anyone else. The statement that rings true; 'mo money 'mo problems! 

>=)

quinnd6
quinnd6

Are EA working on a solution to this problem or do they give a damn?


naryanrobinson
naryanrobinson

I'm perfectly OK with hackers burning it to the ground.

I know EA will sell their games on Steam if they can't get their own service secure.

I mean, sure they steal your data anyway, but when someone else steals it then I imagine they try and do something about it.  Just not very hard because that would be like work and EA don't really care about your data anyway until they stand to lose money.

I'll say it again:

Origin needs to die.  EA needs to die.  Long live gaming.

ColdfireTrilogy
ColdfireTrilogy

@Thanatos2k not exactly, unless you have anti javascript programs like noscript and adblock plus running on your browser than it you dont have to necessarily "click" anything on a website to actually become infected by visiting one.  Hit and runs are very possible and happen all the time.  THe most recent example I can think of was on NBCs website when they had malicious code injected into one of their ads on their webpage along with the pages of a few of their top tv series.  Any individual without javascript protection who even visited the site was summarily infected with a backdoor trojan, no clicks or ad mouseovers required; just a visit to the page itself was enough.  Luckily they caught it quickly and the number of infected users was relatively low, the problem is most of those people are probably unaware of the issue due to not being PC savvy in the first place.

thorn3000
thorn3000

@fanirama origin has an offline mode in which you can play campaign from games installed

mkeezay22
mkeezay22

@blackace  

Fully agreed,I can see Origin going out of service like EA cutting it for costs and screwing all the gamers that trusted the service.I personally have one game through Origin which is BF3 and I can already see the day they cut servers for BF3 after the launch of BF4 sometime making my game 90% useless.

Now there's the whole Sim City BS that's pissing off gamers I'd say Origin needs a bit of good PR like maybe not being grade A Dbags,stopping with the always online nonsense and putting online games on other services like BF3 on Steam so I can still play after EA cuts servers if Steam uses theirs.

Fursnake
Fursnake

@blackace 

This is pre-damage damage control. That way, if Origin gets hacked EA can say "Hey, at least we told you about it!"

NkoSekirei
NkoSekirei

@ken_wakashimazu dont forget they tried to merge origin with nintendos online service and they would of had complete control of nintendo network but thankfully nintendo said no

Vastano
Vastano

@ken_wakashimazu 
I would also like to add that EA is once again up for "Worst Company Award" again...

ggregd
ggregd

@KamuiFei Why?  This was done on his watch.  He was so intent on pushing digital distribution for increasing profits he decided to forego doing it right.  This and SimCity are examples of what you end up with when do a rush job without planning and adequate QA.

blackace
blackace

@KamuiFei 

He was laughing his ass off before you got fired (I mean retired). He's filthy rich now, do you think he even cares?

georgebot84
georgebot84

@naryanrobinson They ruined good franchises, and now force a client on you that is buggy and apparently unsafe.

At least Simcity turned out well:)

Trep88
Trep88

@basangicu @LimeDudeZ  

Offline mode doesn't work on Steam.

Almost all AAA titles for computer require Steamworks. I refuse to buy them. Not Skyrim, not Bioshock, nothing. Until publishers offer another option besides Steamworks, I refuse to give them my money.


Origin is miles better. At least you can play your games offline. Simcity was designed, from the ground up, to be played online (special case).

thorn3000
thorn3000

@Vastano @ken_wakashimazu lucy did not lie though she spoke "corporate" speak (more positives then negatives in a sentence)......EAs CEO resigned was not fired.....Origin has a similiar vulnerability that was identified on Steam last year but since then no hacker used it on Steam which has way more users than origin, why? because it's not usable in normal circumstances....any more useless rants without facts?

ioshilee
ioshilee

@ggregd Steam services were polished for years.... EA just wants to jump out of a bush and grab all the goodies of digital distribution in a blink of an eye... 

fire12135
fire12135

@MetaMods @thrice00  I also like origin more than steam. Just give people with a different opinion a chance to voice it. I mainly prefer origin due to less performance issues and generally a cleaner interface.

thrice00
thrice00

Miles better ?!?!........

ioshilee
ioshilee

@thorn3000 @Vastano @ken_wakashimazu You can call it whatever you want, but it's still a BF lie... 

Vastano
Vastano

@thorn3000 @Vastano @ken_wakashimazu

I believe your comment was more directed to ken_wakashimazu than mine, but I will reply nonetheless.

"Corporate speech", in my opinion, is as close as you can get to lying without actually lying. 

"We have mutually agreed that this is the right time for a leadership transition." In translation: the exCEO resigned before we could fire him. Or at least that's how I read it...

When ken said "Origin has malicious code in it", I believe that was exaggeration for greater impact in his comment.

Neither ken's nor my own comments were "useless rants without facts". In actuality, our comments were filled with facts....their usefulness is debatable...