Researchers Identify Security Exploit in Origin

[Metalrocks]

lol, no wonder the CEO resigned.
well, as long they really fix it, then im fine. still like to play bf3 and me3.

 

[GAunderrated]

I also am kinda disgusted that EA's recommendation was first for people to block the url instead of fixing the problem or saying they are patching it asap.

Sorry guys, the original sentence I wrote was a bit ambiguous. EA didn't make this recommendation; ReVuln recommended this action in their white paper. I've updated the post to reflect this.

Ah thank you for that. Now it seems less insulting. lol

 

[Karathos]

lol, no wonder the CEO resigned.
well, as long they really fix it, then im fine. still like to play bf3 and me3.

Not sure if serious, but CEO's don't generally resign over breaches in a gaming platform.

 

[gigastar]

Breaking News: Clicking random suspicious links gets your ass hacked!

How does this make Origin any different from any browser ever?

Because it's EA, and on the internet that's akin to being a child molester or rapist.

The blind vitriol over nothing always gets me with these EA topics. It's still amusing watching frothing retards scream and stamp their feet, but i always wonder if they truly believe what they say.

Ive believed what ive said about EA ever since Command and Conquer 4 happened.

 

[Elate]

As much as I hate EA.. This isn't really an issue, I mean, first they have to get you on a site related to Origin, so they know you have it, second you have to click the link.. Don't know about most people but I don't use anything web related for Origin other than battlelog.

So, while it's a security loop hole, I feel it could be massively avoided with the use of common sense.

 

[Saregon]

But I am not objected to using Origin if the game requires it, because if it's an EA game it's their right to make it only on Origin.
You don't see Half-Life not on Steamworks do you?

Hah, I've actually never thought of it that way, sounds reasonable, so maybe I can use Origin for something more than BF3 after all. However, I won't, because they need to learn that several years old games are NOT worth the kind of money they're asking for it. I'm not paying 60$ for a digital copy of ME3. Maybe when they release a GotY edition I could get a physical copy, we'll see.

Anyway, I like how he says "hypotheticals like these" when it's BEEN DEMONSTRATED, repeatedly. The classy thing to do here would be to just apologize, fix it and move on.

 

[Aardvark Soup]

As much as I hate EA.. This isn't really an issue, I mean, first they have to get you on a site related to Origin, so they know you have it, second you have to click the link.. Don't know about most people but I don't use anything web related for Origin other than battlelog.

So, while it's a security loop hole, I feel it could be massively avoided with the use of common sense.

Wrong. Origin links can be inserted in any website on which an XSS (cross-site scripting) vulnerability is being exploited. Because security knowledge is not the strong point of most of web developers, these kinds of attacks are extremely common.

To prevent being targeted by such an attack, I recommend turning off or removing any browser plug-ins you are not using, especially Java. Flash is relatively safe nowadays, though.

 

[evilneko]

Breaking News: Clicking random suspicious links gets your ass hacked!

How does this make Origin any different from any browser ever?

See @Aardvark_Soup's reply above. Further, this is a vuln that could easily be exploited via an ad--no XSS needed. There's really not much of a mitigating factor for this vulnerability. That's why remote, unauthenticated, arbitrary code execution is the absolute highest order of security vulnerabilities.

Oh, and have you noticed how lately, exploits are targeted not so much at browsers, but at plugins? Yeah. There's a reason Firefox is going to click-to-play for Flash.

 

[Matthi205]

It's the same thing as Steam was years ago. That's why people trash it, Steam already solved most of those problems while Origin keeps doing them again

I don't know how you can say that for this case when the exploit has only just been found. All it really proves is that both Steam and Origin have less than adequate security.

Isn't there a third store out there too? GoG? Wondering now if this exploit is possible there too.

This can't be applied to GoG, as they don't enforce any kind of DRM.

"Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure"

Translation: "We don't give a shit." (pretty much Microsoft's attitude when it comes to every 2nd OS release)

EDIT: On the subject of getting hacked: I haven't been hacked since installing Windows Server 2008R2. And I run neither a firewall nor any kind of Antivirus, just scans with Live DVDs from time to time.

 

[Crazie_Guy]

Breaking News: Clicking random suspicious links gets your ass hacked!

How does this make Origin any different from any browser ever?

Because it's EA, and on the internet that's akin to being a child molester or rapist.

The blind vitriol over nothing always gets me with these EA topics. It's still amusing watching frothing retards scream and stamp their feet, but i always wonder if they truly believe what they say.

Well, I can certainly see why you'd think it was vitriol over nothing, if you were born yesterday and have never actually heard of EA except in forum posts as opposed to in the context of things they have actually done in the world. Allow me to assure you that hate for EA actually stems from a very large number of real reasons. I won't insult your intelligence by assuming you need help to find them if you're interested in educating yourself on the matter... you can find them pretty much anywhere.

 

[Loonyyy]

Breaking News: Clicking random suspicious links gets your ass hacked!

How does this make Origin any different from any browser ever?

Point being that the service is vulnerable to a specific exploit, through scripts. This is an additional vulnerability caused by the service.

And the random links don't have to be all that suspicious. I got my computer infected through scriptjacking while reading a Resident Evil wiki. Just a regular wiki, nothing any more suss than anywhere else. A system restore and much tinkering later, I learned my lesson and used NoScript. (Funny story: I beat the infection through overclocking).

OT: Yeah, it's worrying, and it's an issue which has been seen before, which makes it pretty clear that yet again, Origin is behind the curve. On the other hand, this sort of thing can happen (Though far less easily) in other cases, so this might be a good time for people to learn a little about the potential for scriptjacking, and all manner of nasties.

 

[ph0b0s123]

Too Late....

Some would say, if you were worried about your privacy, you would not have installed Origin in the first place..... Surprising news, EA's distribution / spyware platform allows you to be spied on.

And before you say it, the EULA did not change from them having the right to gather whatever info they want from your machine, when you decide to use it. And this is not the same as Facebook as you decide what you want to share with the world and as a by product Facebook. Origin, unlike Steam where the surveys are optional, gives you no choice in what is uploaded to EA....

This is how EA has gotten around not being able to sell the info they gather to 3rd parties as in the original EULA. Now they just give 3rd parties a conduit to get the info directly.....

 

[FalloutJack]

EA's failure to learn from Steam's mistake is bad enough. Their response to it is even worse. Hypotheticals? FFS man, you've got a demonstrated remote unauthenticated arbitrary code execution vuln here. This is a vulnerability of the highest order, the sort of thing even Microsoft would get fixed pronto and release an emergency out-of-band update for. Get crackin EA, unless you want to have a worse rep than Microsoft.

Too late.

...clicking random links in your browser...

Why would you do this?

I think he's pointing out that PEOPLE DO. They just do, for whatever reason that's as random as the randomosity it took to do that.

OT: Oh, big surprise. Another shit hits the fan and they answer in corporate double-talk that can be construed as "We will sit with our thumbs up our asses for the time being.". Heh, and some folks wonder why we're angry. That's funny as hell right there.

 

[FalloutJack]

I think he's pointing out that PEOPLE DO. They just do, for whatever reason that's as random as the randomosity it took to do that.

I realize that, and I am asking why in an age of malware that has not been seen in ten years would you suspend all common sense and just click on some random stuff on the internet?

There is still yet a significant amount of people who aren't as savvy as you or I.

 

[FalloutJack]

I think he's pointing out that PEOPLE DO. They just do, for whatever reason that's as random as the randomosity it took to do that.

I realize that, and I am asking why in an age of malware that has not been seen in ten years would you suspend all common sense and just click on some random stuff on the internet?

There is still yet a significant amount of people who aren't as savvy as you or I.

Being savvy has nothing to do with it. I don't understand why some people put down the personal guards they use in real life when they sit down in front of a keyboard.

Well, basically...

<__>

...they're not exactly all spring chickens here, you know. Savviness DOES have a hand in it. If you were NEVER that bright, but you live in this age... You can't tell me that everyone who flips on a computer is all that bright. I mean, look at the internet! It's a very cool thing, but not everybody using it is that wise. I feel that that is significant.

 

[Atmos Duality]

...clicking random links in your browser...

Why would you do this?

It is much easier to get people to "click" those links than you think.