Image: EA

Between Anthem, multiple rounds of layoffs, and all the trouble the publisher has had with various Star Wars games recently, EA has had a pretty rocky last 12 months. But strangely, a recent bug with its Origin game client might be one of the company’s most serious issues yet.

That’s because due to a security flaw in the Windows version of Origin, it was possible for hackers to essentially run or install any application on a user’s computer through something as innocuous as a hyperlink.

Advertisement

Discovered by Daley Bee and Dominik Penner of Underdog Security (via TechCrunch), the source of the flaw came from EA’s use of a custom URL protocol that allowed gamers to access a game’s web store from a browser instead of using the Origin client. Unfortunately, because those “origin://” links could also be tricked into launching malicious software, it essentially gave hackers free rein to install almost any program onto an end user’s machine.

According to Bee, by combining a malicious code with a cross-site scripting exploit, malware could be sent and automatically installed on vulnerable systems simply by clicking a link. And to prove the existence of the flaw, the team at Underdog security even created a demo exploit that opened up the Windows Calculator app instead of a link in Origin that appeared to be an EA sales offer.

Advertisement

Thankfully, the exploit has been addressed in the most recent patch for Origin, so to fix the issue, all you have to do is update your Origin game client. For any Origin client users on Mac, the good news is that the issue apparently only affected the Windows version of Origin. But there’s no reason you shouldn’t keep your software updated. 

And while it’s unclear if any users were actually attacked using the flaw, just the presence of an exploit this serious in Origin is still a bit of a worry. Maybe EA should worry less about microtransactions and focus more on QA, as it seems both Origin and Anthem have been in need of some additional technical help.

Advertisement

[TechCrunch]