It’s in the game
A recently patched vulnerability in Electronic Art’s Origin desktop client left millions of Windows PC gamers vulnerable to total pwnage.
The issue – limited to the Windows version of the online gaming platform – created a remote code execution (RCE) vulnerability, as well as a possible mechanism for hackers to steal gamers’ access tokens.
Fortunately, EA was able to fix the flaw just hours after the amp-video games company was notified of the problem by researchers Dominik Penner and Daley Bee of Underdog Security.
The researchers were exploring the origin2 URI handler when they discovered a parameter where data they supplied was echoed back to them in the Origin client – evidence of a failure to sanitize user submitted inputs in the client.
Further investigation unearthed a client-side template injection in the title parameter.
Sandbox escape
Origin runs on AngularJS, so by using a sandbox escape developed by other researchers, Penner and Bee were able to develop a proof of concept exploit, as they explain in a blog post.
More specifically, they harnessed the in-client API of the Origin client to communicate with the QtApplication’s QDesktopServices and pop open the Windows built-in Calculator app (calc.exe).
The same trickery opened up a mechanism for an attacker to execute malicious payloads on a Windows PC running the vulnerable gaming platform. Exploits could be triggered by tricking users into clicking on a booby-trapped link with origin:// in the address.
EA acted promptly the patch the vulnerability on April 16 – the same day Penner and Bee reported their findings.
The games platform is yet to respond to a request for comment on the flaw from The Daily Swig.
Bee told us that EA doesn’t offer a bug bounty as yet. The researcher and his colleague plan to look into the security of Epic Games’ Launcher as a follow-up project.