Origin game launcher on Windows releases update fixing major security flaw

[kuhnertdm]

Source: https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/

 

Story: EA has released an update for their "Origin" game launcher on Windows, fixing a vulnerability that could allow for arbitrary code execution at the privilege level of the currently logged-in user.  The exploit must be triggered by following a maliciously constructed origin:// link from within a web browser. That type of link is typically used to launch Origin on the user's computer and perform an action automatically (for example, to navigate to a game on the store, or to launch a game from the app). However, researchers found that these links could also trigger Origin to run arbitrary code not related to the Origin service at all. The proof of concept launched the calculator app, which is a standard for proving that ACE can be done with an exploit. However, the potential negative effects of this kind of vulnerability basically extend to taking full control over the user's computer, as it could run arbitrary commands through Powershell, and if the user is logged in as a local admin (which the vast majority of gamers are on their own machines), those commands can be run as admin.

 

To emphasize, the exploit can only be triggered by following a maliciously-crafted link, but that doesn't necessarily mean it's always user-triggered. If a site is already compromised with malware that can automatically redirect a web page, then this can all be done without the user knowing.

 

Opinion: If you have Origin installed (even if you don't use it), you should update, as this exploit can happen even while Origin is not running, and without the user performing any action to trigger it.

[Bouzoo]

Yeah, no update here. 

[kuhnertdm]

28 minutes ago, Bouzoo said:

Yeah, no update here. 

Update was pushed yesterday, so if you've updated since yesterday you should have the fix.

[Bouzoo]

5 minutes ago, kuhnertdm said:

Update was pushed yesterday, so if you've updated since yesterday you should have the fix.

Haven't launched in almost a week. Maybe takes time. 

[Delicieuxz]

I just launched Origin and got an update.

 

Sometime either last year or the year before, my Origin account got hacked, and when EA support gave me back control of it and I changed the password, it was almost immediately hacked again. I don't give my password or account info out anywhere and I don't write it down either. Also, no other account of mine anywhere was affected.

 

So, somehow, a hacker was getting specifically my Origin login info automatically even right after changing it. I wonder if this issue that is hopefully now fixed is how it was done.

[kuhnertdm]

1 hour ago, Delicieuxz said:

I just launched Origin and got an update.

 

Sometime either last year or the year before, my Origin account got hacked, and when EA support gave me back control of it and I changed the password, it was almost immediately hacked again. I don't give my password or account info out anywhere and I don't write it down either. Also, no other account of mine anywhere was affected.

 

So, somehow, a hacker was getting specifically my Origin login info automatically even right after changing it. I wonder if this issue that is hopefully now fixed is how it was done.

Sounds like it's your email account that's insecure then. Change your password there, and maybe consider setting up 2FA on one or the other

[Delicieuxz]

12 minutes ago, kuhnertdm said:

Sounds like it's your email account that's insecure then. Change your password there, and maybe consider setting up 2FA on one or the other

No. My email uses a different password, 2FA, and if my email was breached then a lot more and far more important things than just Origin would have been compromised.

[ZacoAttaco]

4 hours ago, Delicieuxz said:

No. My email uses a different password, 2FA, and if my email was breached then a lot more and far more important things than just Origin would have been compromised. 

My account too was compromised some time ago, I haven't been super impressed with EA's account security, even with 2FA enabled.

 

I don't know why EA tie Origin into a web app, when you want to change certain settings it makes you login to the web client. These kind of vulnerabilities wouldn't exist if it weren't so tied into a browser. Steam is guilty of this as well but at least all browser actions are take within the client, leaves less room for these kinds of vulnerabilities. Keep it simple.

[Doobeedoo]

Good it's fixed, sketchy shit.