Researchers with a web security company have described a security hole in Electronic Arts' Origin digital distribution service that leaves the company's customers at risk of being hacked, as reported by the BBC. According to a paper by ReVuln lead researchers Luigi Auriemma and Donato Ferrante, hackers could exploit the ability to launch Origin games via the web to run malicious code on users' computers.
The technique is similar to one ReVuln previously discovered in Steam, and centers around the Origin program using the origin:// URI to launch games from web links. Those links could be created to run unauthorized code while the system launches the game, so the compromised security would go undetected by users.
ReVuln said any computer with Origin installed on it is vulnerable, regardless of whether the program is actively running or what operating system is used. To remedy the issue without uninstalling Origin, the firm suggests disabling the origin:// URI handler in all web browsers that support the feature. It also suggested using a third-party tool to disable the URI globally, but that would also prevent desktop shortcuts to Origin games from working properly.
EA has put Origin's player base at 40 million registered users worldwide. According to the BBC, there is no evidence this security hole has yet been exploited maliciously.
When asked for comment on the vulnerability, an Electronic Arts representative told GamesIndustry International, "Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure."
UPDATE: On March 25, EA released the following statement: "Origin today issued an update that will make the hypothetical exploit of the Origin URI inoperable. We have no reason to believe it was ever used, but out of an abundance of caution for our players, we wanted to quickly address it."