Got Origin installed? Then you’d better update it immediately.
EA has rolled out an update to the PC version of Origin (Mac isn’t affected) after a TechCrunch report found an enormous security flaw that allowed the remote execution of code, and applications, through the Origin app.
Underdog Security’s Dominik Penner and Daley Bee discovered that the method which Origin uses to open URLs could be hijacked to open any app on a PC, with the same level of privileges as the user.
“We were simply curious and looking around at the origin2 URI handler, when we came across a parameter where we could supply data that would be echoed back to us in the Origin client, prompting us to start tinkering,” the researchers explained.
After checking up on some sandbox exploits for AngularJS, the Javascript framework that Origin’s PC client is built off, the researchers were then able to remotely open an app, in this case Calculator:
“An attacker could also steal a users access token many of ways,” they warned. Taking a user’s access token would give malicious actors access to an account, without having to type in a password.
TechCrunch reports that the exploit was patched by EA earlier on Tuesday. Kotaku Australia has contacted EA’s local representatives for comment, asking when they were altered to the security flaw and what steps are being taken to shore up other vulnerabilities in the future.
Leave a Reply