EA's Troubles Keep Getting Worse: Big Security Flaw Discovered In Origin Platform

from the another-day,-another... dept

Perhaps the timing is a coincidence, but following the absolutely disastrous SimCity launch, in which EA's focus on DRM seemed to get in the way of actually making a product that works, it's been announced that CEO John Riccitiello is stepping down at the end of the month. This is clearly not a planned succession situation, because the company's former CEO, Larry Probst, who ran EA from 1991 until 2007 when he handed it over to Riccitiello is taking over as interim CEO as they search for a real replacement. Perhaps they should look for someone who recognizes that providing a good product that people want to support is a better goal than "stopping piracy." Just a suggestion.

Of course, they may also have bigger issues to deal with. Rich Kulawiec was the first of a few of you to submit the news that researchers have demonstrated a pretty big security vulnerability in EA's Origin platform (the company's Steam competitor), which can be used to exploit local vulnerabilities on the computers of about 40 million Origin users. If you'd like to see the hack in action, there's a nice video.
You can read the details directly, if you'd like, which comes complete with some graphics explaining how the security vulnerability, found in the URI handling of Origin, can be exploited:
You get the feeling that March 2013 is a month that EA would prefer to forget ever existed.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: origin, security
Companies: ea


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Gothenem (profile), 19 Mar 2013 @ 4:51am

    Well then, now the people exposing this flaw can get 3.5 years in jail and pay $73,000 USD.

    Gotta love how our system works. You show a company that it has a security hole in their software, and instead of thanking you for exposing it so it can be fixed, they crucify you.

    link to this | view in thread ]

  2. icon
    rw (profile), 19 Mar 2013 @ 5:35am

    Re:

    You wouldn't really want them to, you know, actually fix it would you?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 19 Mar 2013 @ 5:38am

    "...it's been announced that CEO John Riccitiello is stepping down at the end of the month"

    All I heard was:

    ka-ching
    fwoosh
    "So long suckers!"

    (that's the sound of a bonus being cashed in, a golden parachute being deployed and a CEO agonizing about the fact that he's been fired).

    link to this | view in thread ]

  4. icon
    Lonyo (profile), 19 Mar 2013 @ 5:42am

    This is a broadly similar flaw to one apparently present in Steam and other URI handling applications, and isn't Origin specific.

    http://arstechnica.com/security/2013/03/bug-on-eas-origin-game-platform-allows-attacker s-to-hijack-player-pcs/

    link to this | view in thread ]

  5. identicon
    Rick Falkvinge, 19 Mar 2013 @ 5:44am

    I saw this presented live at Black Hat

    I saw this exploit being presented to the world at Black Hat Europe last week (where sploits are typically presented on-stage before advisories are sent - happy to see that Revuln has published the details).

    There was much applause.

    Also, it should be mentioned that Revuln did a similar stunt against Steam, pointing out that a three-and-a-half-year-old exploit _still_ isn't patched for most games on Steam.

    In any case, the sploits depend on making the victim click a link on the attacker's web page that open Steam and Origin, respectively, so there is some manual action required for pwnage. Still, I understand there are plenty of such links around with the effect of "join my clan" etc.

    Short version of how the exploit works is that it forces a game update from another server than the official one. Some games even allow this update server to be supplied on the command line (!) and thus, once you have an URL with the command line to start, the rest is a matter of working around a few input sanitizers. In short, it's broken by design and a few checks won't help much.

    Cheers,
    Rick

    link to this | view in thread ]

  6. identicon
    Rick Falkvinge, 19 Mar 2013 @ 5:45am

    Re: I saw this presented live at Black Hat

    (Oh by the way, the reason I was at Black Hat was that I gave the opening keynote.)

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 19 Mar 2013 @ 5:45am

    This is the sort of copyright legacy that out_of_the_lube is cheering on? Well, now we know all along what colour the sky is in his godforsaken world.

    link to this | view in thread ]

  8. icon
    Rikuo (profile), 19 Mar 2013 @ 5:55am

    Re: I saw this presented live at Black Hat

    Oh hi Rick. Just wanted to say I really liked your "Who protects free speech" article on Torrentfreak. True, there is nothing in US style copyright law that actually encourages protecting someone's speech: if you do the heinous act of merely carrying the message, you end up with your own head on the chopping block.

    Huh...I wish that my gaming computer was still up and running. I'd totally mod the opening sequence in Skyrim to be about that.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 19 Mar 2013 @ 5:58am

    Re: I saw this presented live at Black Hat

    If Valve and EA aren't keen to fix these issues is there something an end-user can do to protect themselves?

    link to this | view in thread ]

  10. icon
    BentFranklin (profile), 19 Mar 2013 @ 6:05am

    This article actually mentions Steam but doesn't mention that the same exploit happens in Steam so it makes it sound as if it only happens in EA and thus diminishes the article's objectivity. I know it's popular to kick EA this month but #candobetter.

    link to this | view in thread ]

  11. icon
    Rikuo (profile), 19 Mar 2013 @ 6:10am

    Re: Re: I saw this presented live at Black Hat

    Yes. The exploit is that you click a link on a website, and your browser asks what program should be used to open that link. Most users will have long set their browser to auto open all Steam links with Steam and ditto for Origin (fortunately, I'm not amongst that crowd). One thing you can do is have your browser ask you every time you do click on such a link. That way, the only time it should ask you is when you're on the Steam or Origin websites. If it happens anywhere else, don't allow the link to be run, because it can't be trusted.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 19 Mar 2013 @ 6:18am

    I always knew Origin was shitty software, but I didn't know it was a goddamn backdoor. EA's suck provides hilarity once more.

    link to this | view in thread ]

  13. icon
    Rikuo (profile), 19 Mar 2013 @ 6:26am

    Re:

    Ubisoft's Uplay was a backdoor too. That one involved installing a plugin into your web browser (without telling you of course) that would have allowed malicious websites to remote access your machine.

    link to this | view in thread ]

  14. icon
    Rikuo (profile), 19 Mar 2013 @ 6:27am

    Re:

    Go back a couple of articles, to the one about the Library of Congress. He explicitly says that its all right for jazz recordings from the 30's to be degraded beyond hope of recovery thanks to insane copyright laws...simply because he himself doesn't like jazz.

    link to this | view in thread ]

  15. icon
    Mega1987 (profile), 19 Mar 2013 @ 6:29am

    Adios...

    We shall Forget you even existed....

    link to this | view in thread ]

  16. icon
    dennis deems (profile), 19 Mar 2013 @ 6:29am

    Recursive link

    The hyperlink bound to the text "demonstrated a pretty big security vulnerability in EA's Origin platform" links back to this article.

    link to this | view in thread ]

  17. icon
    G Thompson (profile), 19 Mar 2013 @ 6:38am

    Re: Re: I saw this presented live at Black Hat

    Congrats! and I hope you wear your hat with pride now ;)

    link to this | view in thread ]

  18. icon
    Akari Mizunashi (profile), 19 Mar 2013 @ 6:38am

    EA's troubles can not get any worse. The company's been at the bottom of the barrel for years now.

    Saying it's worse is like saying a flat tire is worse because someone stuck a nail in it.

    The only way to fix the problem is to change it.

    I don't see that happening, even as the CEO bails while pulling on his golden parachute rip cord.

    link to this | view in thread ]

  19. icon
    G Thompson (profile), 19 Mar 2013 @ 6:39am

    Re: Re:

    What he doesn't like jazz

    Wow, you'd never guess it from the way he keeps on blowing his own horn all the time ad infi-fuckin-nitum

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 19 Mar 2013 @ 6:44am

    Re:

    From the artech steam article. Basically it's a "feature" not a bug and it isn't going anywhere. Just don't tell your browser to auto accept steam/origin urls and don't click stupid links.

    "Not all Web users are equally at risk to these kinds of attacks. Browsers such as Chrome and Internet Explorer present users with an explicit warning when they click a Steam link, telling them they're about to open or use an external program, and Firefox asks users for confirmation (without explicitly warning of potential vulnerability). Browsers including Apple's Safari and Webkit, though, allow Steam URLs to launch the program without any warnings, letting a potential attack go completely unnoticed. Many browsers that provide prompts or warnings by default can be configured to suppress them, so it's possible attacks might work more widely, Ferrante said."

    link to this | view in thread ]

  21. icon
    Rikuo (profile), 19 Mar 2013 @ 6:44am

    Re: Recursive link

    Shh. We don't want hasn't_got_a_clue to know what a REAL loopy tour/link is now do we?

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 19 Mar 2013 @ 6:44am

    Re:

    Actually, Riccitello had all the interesting ideas, and my understanding is that internal politics, rather than actual failures, are what have pushed him out.

    EA will now die within the next five years. Bank on it.

    link to this | view in thread ]

  23. icon
    Rikuo (profile), 19 Mar 2013 @ 6:46am

    Re:

    About golden parachutes...when and how did they become the norm? Which Board of Directors was the first to say to a CEO applicant that even if he fucks everything up, he can still leave with a few million?
    I can guess I can answer my own question with "No Board of Directors really cares about long term viability, only their own paychecks".

    link to this | view in thread ]

  24. identicon
    Michael, 19 Mar 2013 @ 6:50am

    Re:

    It can get worse.

    Charles Carreon has shown us that no matter how bad things get, you can always dig the hole you are in deeper.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 19 Mar 2013 @ 7:09am

    Re: Re: I saw this presented live at Black Hat

    Don't click steam/origin links in your browser.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 19 Mar 2013 @ 7:11am

    Note to self, uninstall all EA products from computer when I get home.

    Note to self, make sure my computer deletes all of it's contents if I ever try to install another EA game, as it'll be less frustrating then trying to play the EA game.

    link to this | view in thread ]

  27. icon
    Rikuo (profile), 19 Mar 2013 @ 7:19am

    Re:

    It actually would be less frustrating because at that point, all you're doing is formatting your hard drive and then reinstalling the OS, which is entirely up to you. EA? You have no idea when their servers are going to be up or down.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 19 Mar 2013 @ 7:25am

    Re:

    Actually, that sounds a lot like playing a title made by EA.

    link to this | view in thread ]

  29. icon
    Wally (profile), 19 Mar 2013 @ 7:30am

    It's as I mentioned before...they use the same code as XCP Audio DRM. It leaves you open to attack.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 19 Mar 2013 @ 7:38am

    Re:

    DRM is malware, nothing exemplifies that more than XCP.

    link to this | view in thread ]

  31. icon
    Rikuo (profile), 19 Mar 2013 @ 7:44am

    Re:

    Uh dude...a quick glance at XCP's wikipedia page tells me enough that its NOT the same code. A similar kind of malware? Yes, but not the same code. XCP allowed malware to run if it began with $sys$ and installed a device driver...hang on, I'm just gonna copy and paste
    "

    XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

    Furthermore, XCP.Sony.Rootkit installs a device driver, specifically a CD-ROM filter driver, which intercepts calls to the CD-ROM drive. If any process other than the included Music Player (player.exe) attempts to read the audio section of the CD, the filter driver inserts seemingly random noise into the returned data making the music unlistenable.

    XCP.Sony.Rootkit loads a system filter driver which intercepts all calls for process, directory or registry listings, even those unrelated to the Sony BMG application. This rootkit driver modifies what information is visible to the operating system in order to cloak the Sony BMG software. This is commonly referred to as rootkit technology. Furthermore, the rootkit does not only affect XCP.Sony.Rootkit's files. This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks as of the time of this writing, and could potentially hide an attacker's files and processes once access to an infected system had been gained."


    While of a somewhat similar nature, XCP and Origin do not use the same code. So please, be more precise in the future.

    link to this | view in thread ]

  32. icon
    gorehound (profile), 19 Mar 2013 @ 7:44am

    Re: I saw this presented live at Black Hat

    Thanks for the Comment !

    link to this | view in thread ]

  33. icon
    Rikuo (profile), 19 Mar 2013 @ 7:46am

    Re: Re:

    Just to clarify, what you wrote could also be written as "Game 1 and Game 2 used the same code because they had the same effect"...even if Game 1 was written in Java and Game 2 was written in Python

    link to this | view in thread ]

  34. identicon
    jackn, 19 Mar 2013 @ 7:50am

    You get the feeling that March 2013 is the month that EA stopped existing.

    link to this | view in thread ]

  35. identicon
    sniperdoc, 19 Mar 2013 @ 7:53am

    Re: Re: I saw this presented live at Black Hat

    Other than running a good AV product and running under USER credentials... not much. Even what I suggested isn't 100% fool-proof and probably would only catch known exploits such as the script-kiddy type stuff.

    link to this | view in thread ]

  36. icon
    Lonyo (profile), 19 Mar 2013 @ 7:59am

    Re:

    Make sure to delete Steam as well while you're at it.
    And all your browsers too.
    And Windows actually.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 19 Mar 2013 @ 8:08am

    Re: Re:

    It's a function of lawyers, actually. CEOs can hire teams of lawyers to write contracts for them that guarantee golden parachutes and the company just has to accept it or find another CEO.

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 19 Mar 2013 @ 8:26am

    Re:

    Two years in a row as worst company in america would seem like the next step. They seem to gun for perfection in user-alienation!

    link to this | view in thread ]

  39. identicon
    Anonymous Coward, 19 Mar 2013 @ 8:28am

    Re: Re:

    When headhunter companies started to get into the business. As soon as you have to force someone away from another job, the incentives have to be universally better than their current situation...

    link to this | view in thread ]

  40. icon
    dennis deems (profile), 19 Mar 2013 @ 8:38am

    Re: Re: Recursive link

    Lol that was my first thought too :D

    link to this | view in thread ]

  41. icon
    dennis deems (profile), 19 Mar 2013 @ 8:41am

    Re: Re: Re:

    "find another CEO" How hard can this be?? Business schools like Kellogg and Harvard publish the resumes of their grads. It's not as if candidates are hiding in a cave.

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 19 Mar 2013 @ 8:50am

    should have gotten rid of him and the stupid 'always on' connection plus DRM a long time ago. EA have screwed up royally. it should, i hope, take a long time to get customer confidence back but only then if they drop all the crap they insist on including and having implemented in their games. whoever takes over needs to have a much more sensible approach and start treating customers as people, not criminals and stop worrying about piracy. if their games are pirated, it's because they run better, are too expensive, dont have single player option and have to be connected to the internet indefinitely. ridiculous!! Sony started this crap and were backed by the USA courts. it hasn't done them any good so far and wont in the future.

    link to this | view in thread ]

  43. identicon
    Anonymous Coward, 19 Mar 2013 @ 8:50am

    Re: Re: Re: I saw this presented live at Black Hat

    Yeah but what about the people that don't wait to take the extra 1/8th of a second to press enter or the extra 1/3 to click confirm.

    link to this | view in thread ]

  44. identicon
    Anonymous Coward, 19 Mar 2013 @ 9:08am

    Re: Re:

    This is the guy who stated that the Amazon hate-on for Spore DRM in 2008 was some sort of "cabal" of malcontents and/or/probably pirates, instead of a rather large expression of disapproval by fans of the game (which had been hyped for years before it was released).

    Same guy who defended the use of Securom back in 2007 despite the proven problems it caused for paying customers.

    Yadda, yadda. A disconnected CEO, color me unsurprised at anything except his resignation.

    link to this | view in thread ]

  45. icon
    akp (profile), 19 Mar 2013 @ 9:10am

    Re: Re: Re:

    Man, now I want to be a CEO. Do no work, possibly leave the company worse than when you found it, cash out in millions after having spent years playing golf with my other CEO buddies.

    Sign me up!

    link to this | view in thread ]

  46. icon
    Ninja (profile), 19 Mar 2013 @ 9:25am

    Ah, Karma is a bitch eh? When they are arseholes towards the people and their customers they get divine punishment. Happened to Sony. Is happening with EA. The main difference is that Sony had plenty of other products to support the debacle. EA hasn't.

    Also, it's much, much, much more probable that people will try to screw you up if you act like an arsehole.

    I feel this eerie pleasure from seeing EA getting owned.

    link to this | view in thread ]

  47. identicon
    Anonymous Coward, 19 Mar 2013 @ 9:47am

    As long as we allow monopolistic rights to be held by companies EA will not go out of business. I have no idea why professional sports are exempt from these laws, but it's probably not going to change until we get lawmakers in who are young enough to know what the major console brands are.

    link to this | view in thread ]

  48. icon
    John Fenderson (profile), 19 Mar 2013 @ 9:49am

    Re: Re: Re:

    Yes. As further condemnation, he's also the chairman of the USOC.

    link to this | view in thread ]

  49. identicon
    Anonymous Coward, 19 Mar 2013 @ 10:00am

    Re:

    As much as I am loving this EA house of cards and the barn door, even Blizzard has issues with Battle.net compromised accounts that don't have authenticators.

    Let's not pretend that the utopia of being online and 100% safe even exists.

    link to this | view in thread ]

  50. identicon
    Anonymous Coward, 19 Mar 2013 @ 10:10am

    Re:

    That is why you have to be Anon if you are going to do something like that, unless it is Google.

    link to this | view in thread ]

  51. icon
    nasch (profile), 19 Mar 2013 @ 1:23pm

    Re: Re:

    Browsers such as Chrome and Internet Explorer present users with an explicit warning when they click a Steam link, telling them they're about to open or use an external program, and Firefox asks users for confirmation (without explicitly warning of potential vulnerability).

    Oh good. We know that putting up a confirmation dialog before executing malicious code is almost completely effective. People don't get owned on a regular basis after clicking OK on a dialog they don't understand.

    link to this | view in thread ]

  52. icon
    nasch (profile), 19 Mar 2013 @ 1:27pm

    Re:

    This article actually mentions Steam but doesn't mention that the same exploit happens in Steam so it makes it sound as if it only happens in EA and thus diminishes the article's objectivity.

    "As we have demonstrated for Steam in our previous paper, Steam Browser Protocol Insecurity, almost the same design problem applies for Origin."

    That isn't explicit enough?

    link to this | view in thread ]

  53. identicon
    Anonymous Coward, 19 Mar 2013 @ 4:24pm

    Re: Re:

    Yes, the original paper is clear. The TechDirt article is as I described.

    link to this | view in thread ]

  54. identicon
    Anonymous Coward, 19 Mar 2013 @ 11:05pm

    Re: Re: Re:

    He doesn't like "jazz". It's one letter away from "jizz".

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.