Players at risk from game store hack attack

Screenshot from Crysis The attack was demonstrated using the Crysis 3 game

Related Stories

More than 10 million people thought to have accounts with Electronic Arts's (EA) Origin game store are at risk from a hack attack that swaps games for malicious code, researchers say.

In lab experiments, the researchers exploited a loophole in the way Origin handles links to games users have downloaded and installed to make it run code that compromised a target machine.

There is no evidence the loophole has yet been used by malicious hackers.

EA is investigating the vulnerability.

Launched in 2011, Origin acts as a distribution system, where customers can buy, download and manage EA video games as well as chat with friends about them.

But Donato Ferrante and Luigi Auriemma, from security company ReVuln, found a weakness in the way games were started via Origin.

Like many other programs, Origin uses a web-like syntax to keep track of the places games are found on a computer so they can quickly be started when people want to play.

The two researchers found a way to subvert this syntax to make it point to malicious code instead of a game.

"An attacker can craft a malicious internet link to execute malicious code remotely on victim's system, which has Origin installed," wrote the researchers in a paper detailing their work.

Attackers needed to know some identifying information about players to make good use of the vulnerability, wrote the pair.

However, they said, it was easy for attackers to get around this hurdle because Origin did not prevent repeated attempts to guess identifying information.

A demonstration of the attack was given at the Black Hat Europe conference, in which a Windows PC running Crysis 3 and Origin was taken over by the pair's attack code.

In a statement given to the Ars Technica website, EA said it was investigating hypothetical attacks such as the one found by Mr Ferrante and Mr Auriemma as part of the work it did to improve security on Origin.

Mr Ferrante and Mr Auriemma said players could protect themselves against potential attack by stopping Origin launching games via desktop shortcuts.

But this would mean games would have to be started directly from Origin.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories


Features & Analysis

BBC Future

(US Navy)

The world’s noisiest spy plane

The Soviet giant that still soldiers on


  • Kinetic sculpture violinClick Watch

    The "kinetic sculpture" that can replicate digital files and play them on a violin

Try our new site and tell us what you think. Learn more
Take me there

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.