It’s in the game
A recently patched vulnerability in Electronic Art’s Origin desktop client left millions of Windows PC gamers vulnerable to total pwnage.
The issue – limited to the Windows version of the online gaming platform – created a remote code execution (RCE) vulnerability, as well as a possible mechanism for hackers to steal gamers’ access tokens.
Fortunately, EA was able to fix the flaw just hours after the video games company was notified of the problem by researchers Dominik Penner and Daley Bee of Underdog Security.
The researchers were exploring the origin2 URI handler when they discovered a parameter where data they supplied was echoed back to them in the Origin client – evidence of a failure to sanitize user submitted inputs in the client.
Further investigation unearthed a client-side template injection in the title parameter.
Sandbox escape
Origin runs on AngularJS, so by using a sandbox escape developed by other researchers, Penner and Bee were able to develop a proof of concept exploit, as they explain in a blog post.
More specifically, they harnessed the in-client API of the Origin client to communicate with the QtApplication’s QDesktopServices and pop open the Windows built-in Calculator app (calc.exe).
The same trickery opened up a mechanism for an attacker to execute malicious payloads on a Windows PC running the vulnerable gaming platform. Exploits could be triggered by tricking users into clicking on a booby-trapped link with origin:// in the address.
EA acted promptly the patch the vulnerability on April 16 – the same day Penner and Bee reported their findings.
The games platform is yet to respond to a request for comment on the flaw from The Daily Swig.
Bee told us that EA doesn’t offer a bug bounty as yet. The researcher and his colleague plan to look into the security of Epic Games’ Launcher as a follow-up project.