EA patches Origin vulnerability that allowed PC takeover
Forgot password
Enter the email address you used when you joined and we'll send you instructions to reset your password.
If you used Apple or Google to create your account, this process will create a password for your existing account.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Reset password instructions sent. If you have an account with us, you will receive an email within a few minutes.
Something went wrong. Try again or contact support if the problem persists.
Call of Duty: Vanguard
Additional Vanguard artwork. | Provided by Activision

EA patches Origin vulnerability that allowed PC takeover

This article is over 5 years old and may contain outdated information

A vulnerability was found in Electronic Arts’ Origin platform, launchpad for popular titles like Apex Legends and FIFA 19. The flaw could be used to trick gamers into running malicious code on their computer. It has since been fixed.

Recommended Videos

URL handler issue allowed full access

In the fight for gamers’ attention (or at least their purses), more and more publishers are erecting their own digital storefronts. Epic Games’ recent taking on of Valve’s Steam hegemony has been well publicized, but it is only one example. On PC alone we now have over a dozen such offerings, ranging from Activision Blizzard’s Battle.net to Discord’s recent addition to the field.

Sadly, it appears that these walled gardens more often than not have their gates left wide open. In the latest such case, two security researchers found that EA’s Origin client could be remotely tricked into running any application on a victim’s computer. Even worse, by using built-in tools, it could be made to download malicious components like ransomware. It was also possible to take over the user’s Origin account completely.

Cause of the flaw appears to be the handler for custom origin:// addresses. If a user could be made to click a specially-crafted link, the attack could be carried out. EA has confirmed that a fix for the problem, which only affected the platform’s Windows client, was deployed on Monday.

Mo’ stores, mo’ problems

In January this year, a security hole was found in Epic Games’ infrastructure that could steal accounts as well, and last month a similar problem was found in Steam’s server browser. These are far from the only examples, however, making us wonder if everyone really should be having a go at building a cloud platform of their own in the first place.

In the meantime, it bears repeating that you should never click suspicious links, doubly so if received from unknown sources. This particular hole may have been shored up, but it seems unlikely that it will be the last such.

Author