GAMES PUBLISHER Electronic Arts (EA) hasn't had a good day today, as just hours after announcing its CEO will step down following the disastrous launch of Simcity, a security firm has discovered that more than 40 million user accounts on the firm's Origin game store are at risk from hackers.
Revuln revealed in a white paper that in lab experiments, the firm's researchers managed to exploit a loophole in the way Origin handles links to games its players have downloaded and installed to make it run code that compromise a target machine.
An example of the exploit was demonstrated on Friday at the Black Hat security conference in Amsterdam. Taking seconds to execute, it relies on uniform resource identifier (URI) links that the Origin desktop client uses to trigger local software from the cloud, automatically starting games on an end user's machine.
The technique turns EA's game store into an attack platform that can surreptitiously install malware on game players' computers. The URI links can be tweaked to point to compromised Windows .DLL files, which can then be used to download malware, track software, install spyware and extract user data and personal information from local files.
"An attacker can craft a malicious internet link to execute malicious code remotely on victim's system, which has Origin installed," Revuln wrote in its report. "Attackers needed to know some identifying information about players to make good use of the vulnerability."
However, the researchers made clear that it's pretty straightforward for attackers to get around this because Origin doesn't prevent repeated attempts for guessing such information.
Nevertheless, despite the discovery, Revuln has not managed to prove that hackers have taken advantage of the vulnerability found in Origin.
EA has said it is investigating the matter, "Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure," an EA spokesperson said.
Earlier today, EA announced that its CEO John Riccitiello will step down from his position at the company on 30 March.
Riccitiello's departure follows EA's Simcity fiasco that has seen the game plagued with problems since launch, with users giving the city building game one star reviews on Amazon and taking to Twitter in protest.
However, EA did not mention whether the Simcity fiasco had anything to do with Riccitiello's decision, saying only, "The board has appointed Larry Probst as executive chairman to ensure a smooth transition and to lead EA's executive team while the board conducts a search for a permanent CEO." µ