A flaw in Electronic Arts's (EA) Origin platform could leave more than 40 million people open to attack, according to researchers.
In a paper published late last month, ReVuln researchers Luigi Auriemma and Donato Ferrante reported that the social network/online store has a loophole that allows hackers to swap games for malicious code.
"In fact, an attacker can remotely compromise millions of systems in a very silent and undetected way, by exploiting any possible local issue or feature exposed by any of the games available on Origin," they said.
There have been no reported Origin hacks to date.
Electronic Arts opened its rebranded Origin store in June 2011, offering a place for gamers to buy, download, and manage games, and chat with friends. EA designed the platform to compete directly with Steam, which has its own vulnerabilities, as ReVuln pointed out in October.
Origin's fatal flaw lies in the way the Origin URI handles commands. To access content, users download a client that connects to the Origin server using a custom URI — origin://. But a hacker who discovers the Game ID can use local vulnerabilities to force arbitrary code onto a gamer's machine.
"In other words, an attacker can craft a malicious Internet link to execute malicious code remotely on [a] victim's system, which has Origin installed," the researchers said.
The EA team "is constantly investigating hypotheticals like this one as we continually update our security infrastructure," a company spokesman said in a statement.
There is a possible fix, according to Auriemma and Ferrante: disabling the origin:// URI globally. The workaround means that users can no longer run games via desktop shortcuts or websites with custom command line parameters, but players can still run games directly from Origin.
Electronic Arts can't afford for tens of thousands of users to get hacked, following two weeks of SimCity launch problems. The trouble began 5 March, when the Maxis-made game returned after a 10-year hiatus to such fanfare that EA's servers were quickly overloaded. When the company refused to issue refunds to those who purchased digital downloads, unhappy players were forced to wait for the company to fix its capacity problem.
The consolation prize: a free PC game download. EA announced that users can begin picking from "some of the hottest games in the EA portfolio," including Battlefield 3, Dead Space 3, Mass Effect 3, Bejeweled 3, Medal of Honor Warfighter, Need for Speed Most Wanted, Plants Vs. Zombies, and SimCity 4 Deluxe Edition.
Amidst all of the SimCity drama, EA CEO John Riccitiello announced that he will step down, effective 30 March.