Posted on April 18, 2019 at 7:47 AM
The gaming market is extremely competitive, and any news spreads like wild-fire. EA has been particularly hard hit, as they announced last month that they would need to lay off at least 350 people to remain competitive. So when your client has a massive security flaw exposed, you better get to fixing it fast particularly if you are the company that has been at the head of some of the largest gaming controversies in the last year.
The security flaw was only in windows
Underdog Security was the company whose researchers found the bug. Daley Bee and Dominik Penner were the people responsible for uncovering how to trick the Origin app into running any other application on the computer – or downloading anything over the internet.
Bee told Techcrunch that an attacker could have run anything they might have wanted. The researchers then gave TechCrunch a proof-of-concept website that contained a relatively harmless code. What it allowed TechCrunch to test was that by clicking on a link, a hacker could run code on their computer.
What the code did int his instance was to open Windows Calculator. This might seem benign, but it was opened using the administrator privilege of the computer. This trick is what hackers use to show that they can run code on an infected computer. What is worse is that a hacker could use the bug to send the computer malicious PowerShell commands. PowerShell is a framework by Microsoft used for task automation on computers. While it has very little use for the average user, a hacker could use it to download malicious software onto your computers, such as a rootkit or ransomware.
This bug only needs the user to be running Origin and to click on a link in an email or a website. It could even be done without that if an attacker used a cross-site scripting exploit that runs automatically in a browser. Another possible use of this bug is to steal a users Origin access token. This could be done with a single line of code, and the attacker would not even need to know the password of the account.
So the prognosis from Underdog Security was not good, and people faced a veritable nightmare scenario if they happened to go to a wrong website at the wrong time. One small positive is that it only affected Windows users, not MacOS users. That being said, the vast majority of EA’s customers are on Windows, so they made sure to create a bug fix as soon as possible. In fact, the patch fixing this particular bug was pushed as a required update within a day of EA being notified of the bug by Underdog Security.
EA spokesperson John Resburg has confirmed that the fix was rolled out on Monday the 15th of April. This was corroborated by TechCrunch who used the code provided by Underdog Security to test whether the Origin client was still at risk and found that bug was no longer exploitable.
Long Year for EA
EA started off 2018 reeling from the Star Wars loot box scandal. It then faced an inquiry by the EU commission for gambling which ruled that same year that loot boxes were gambling. EA had thought that they could get back on top of the pile but their latest shooter, Anthem. A so-called looter shooter that was created by one of the industry’s most beloved studios (Bioware) was certain to be a hit, but aside from a strong opening week, it has fallen on hard times very quickly. In fact, less than half the launch players even bother to log in. All this has led to an announcement last week of layoffs, which show how much bad press in the gaming world can hurt the bottom line. This latest bad press from its Origin system is sure to be felt very quickly.