Electronic Arts (EA) has fixed a security flaw in the Windows version of its gaming client Origin that allowed attackers to remotely execute code on an affected computer.
The vulnerability was discovered by Dominik Penner and Daley Bee of Underdog Security, who also created and shared proof-of-concept code with TechCrunch.
The demo shows how Origin could be tricked to pop open the built-in Windows Calculator app. That said, the exploit could be deployed to launch any app and with the same level of privileges as the user. Worse, combined with PowerShell commands, an attacker could execute various malicious payloads on the victim’s machine, according the research duo.
The exploit takes advantage of Origin’s URL scheme that, as TechCrunch notes, “allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address”.
In their demonstration, the researchers click a malicious link. However, in some cases the victim doesn’t even need to click anything. This is because the link can also be triggered “if the malicious code was combined with a cross-site scripting exploit that ran automatically in the browser”.
The loophole can also be exploited to break into gamers’ accounts, as it makes it possible to steal a gamer’s account access token using a single line of code.
It’s unclear if any gamers were actually attacked using the flaw, for which an update was rolled out on Monday.
The Origin app on Windows is used by tens of millions of gamers. Origin’s macOS client was not affected by this vulnerability.