Close
Report Comment to a Moderator Our Moderators review all comments for abusive and offensive language, and ensure comments are from Verified Users only.
Please report a comment only if you feel it requires our urgent attention.
I understand, report it. Cancel

Report: Ubisoft's UPlay DRM contains dangerous security flaws

Report: Ubisoft's UPlay DRM contains dangerous security flaws

Mon 30 Jul 2012 10:41am GMT / 6:41am EDT / 3:41am PDT
Security

Code could allow malicious websites access to PC users' systems

Ubisoft's DRM system has been accused of allowing unprecedented access to users' PCs by potentially malicious websites, severely endangering the security of systems.

A post on SecList's full disclosure site by Google security engineer Tavis Ormandy claims that the vulnerability opens a backdoor for websites access the machines of any customer who has installed many of the publisher's most popular products on PC, including four Assassin's Creed titles and the latest Ghost Recon game.

"While on vacation recently I bought a video game called 'Assassin's Creed Revelations'. I didn't have much of a chance to play it, but it seems fun so far. However, I noticed the installation procedure creates a browser plugin for its accompanying UPlay launcher, which grants unexpectedly (at least to me) wide access to websites," explains Ormandy in the post.

Supplying a piece of code which is said to prove his theory, Ormandy invited others to test his theory a challenge which has been picked up elsewhere.

Digital Foundry has also examined the exploit, backing up Ormandy's claims but dismissing others who have likened the code to a malicious root kit.

"The implications here are cause for concern: the exploit could be used to install trojans or other rogue software on your PC," says Digital Foundry's Rich Leadbetter.

"Scripts could be set-up that would wipe any data on your PC where the user has access. It's highly unlikely that Ubisoft left this backdoor in here on purpose, but regardless, it appears to have all the hallmarks of a major oversight that the firm should be correcting as a matter of extreme urgency."

Leadbetter recommends that anyone who has installed a Ubisoft PC title from the list below take immediate action to limit the potential damage whilst they await an official response from Ubisoft.

"Anyone with a PC title installed using the U-Play system can prevent the exploit from working by disabling the UPlay browser plug-in - in theory, it's as simple as that. Stopping the browser from running the plug-in closes the backdoor, and without that crucial bridge, malicious HTML based on this exploit will not function."

Ubisoft has been contacted for comment.

Potentially affected titles

  • Assassin's Creed II
  • Assassin's Creed: Brotherhood
  • Assassin's Creed: Project Legacy
  • Assassin's Creed Revelations
  • Assassin's Creed III
  • Beowulf: The Game
  • Call of Juarez: The Cartel
  • Driver: San Francisco
  • Heroes of Might and Magic VI
  • Just Dance 3
  • Prince of Persia: The Forgotten Sands
  • Pure Football
  • R.U.S.E.
  • Shaun White Skateboarding
  • Silent Hunter 5: Battle of the Atlantic
  • The Settlers 7: Paths to a Kingdom
  • Tom Clancy's H.A.W.X. 2
  • Tom Clancy's Ghost Recon: Future Soldier
  • Tom Clancy's Splinter Cell: Conviction
  • Your Shape: Fitness Evolved

7 Comments

Kingman Cheng Illustrator and Animator

957 185 0.2
I just read about this over at Eurogamer. Ooooh boy...

They've yet to contact Eurogamer back about this to.

Posted:2 years ago

#1

Morville O'Driscoll Blogger & Critic

1,630 1,509 0.9
Yey! DRM bad for legitimate users shocker.

Posted:2 years ago

#2
Maybe the next step is to escalate to a dual security system?

Posted:2 years ago

#3

Kingman Cheng Illustrator and Animator

957 185 0.2
Like Gmail's double authentication thingy?

Posted:2 years ago

#4

Morville O'Driscoll Blogger & Critic

1,630 1,509 0.9
Badly coded double-authentication is just as stupid as badly coded single-authentication. Surely the next step is to fix the security flaws, then spend a solid length of time ensuring there's no other flaws that have yet to be found. I'd hate to find the serials that I've registered through UPlay on Pastebin because of some flaw in the serial authentication software.

Posted:2 years ago

#5

Petter Solberg Freelance Writer & Artist,

67 46 0.7
Keep up the good work, Ubi! No reason to question the usefulness of DRM just because of a minor security issue...

Posted:2 years ago

#6
There is no question as the usefulness of DRM, it's 0% effective against average pirates, the only ones stumped by DRM are toddlers & pensioners, usually provides inferior service to customers then pirates experience, but very effective indeed at providing forced online services with associated opportunity for data mining on details to customers where they can attempt to sell you additional products such as DLC, and include additional advertising every time you launch the game.

And as long as they have the opportunity of using software piracy as an excuse to include such "DRM",which lets face is unlikely to ever go away, let alone any time soon so the word DRM is probably misnamed by this point, more like "DAS" for (Digital Advertisement System)systems, even the stupidest and most technophobic of games publishing board member would have worked out DRM does not prevent piracy years ago, however it had unexpected ancillary benefits when they included such advertisements.

Take Diablo III, its modern DRM systems consists of an online only system which is there solely to ensure all customers are only a couple of clicks away from buying from thier real money auction system at all times, that way the legitimate customers who are lumped with DRM of whom bought the game will obviously be far more likely given they paid in the first place then pirates to pay further money on things like DLC or in this case auction house cash, so why waste good money advertising on pirates.

By integrating DRM and advertising they eliminate wasted advertisement on those unlikely to pay for such things in the first place, ensure 100% of their advertisement is focused on those most likely to purchase and furthermore ensure even those customers normally reluctant to sign up to such online systems will be forced to in order to use their legitimate copy of the game, so tempting them to pay money from in-game will be much easier then in games where customers are given a choice about creating an online account.

From a customer prospective unless you love pouring your money away introducing potential security risks and wasting valulable computing time on said DRM, the whole deal sucks, from a pirates point of view, simply remove the DRM and you have a game free of such issues(ie they get the best experience), however from a business prospective its brilliant, using an excuse generated from one nuisance (piracy) to introduce the kinda of advertisement and additional content sales platforms they've wanted for years and if any customer complains they can just blame it on piracy, so yeah from a business prospective you can't really fault it, however as shown above even snazzy DRM needs to be coded with security in mind nowadays and woe betide those who don't, as there are plenty of real criminals out there looking to hack people's pc's for nefarious purposes and they're interest in DRM will be far more nefarious then that of pirates.

Posted:2 years ago

#7

Login or register to post

Take part in the GamesIndustry community

Register now