The flaw in the Origin app allows hackers to trick users into opening and running malicious software on their systems.
Electronic Arts recently fixed a bug in their online gaming platform, Origin. The Origin app is EA’s answer to game services like Steam and Epic storefronts. Origin boasts a massive archive of games including some major titles like Apex Legends, Anthem, Battlefield V, Assassin’s Creed Odyssey and many more.
A recently discovered security vulnerability in EA’s popular gaming app has exposed tens of millions of Windows users to cyber-attacks. The flaw in the Origin app allows hackers to trick users into opening and running malicious software on their systems.
The Origin desktop client’s URL scheme allows users to open the app and load a game from a web page by clicking a link with “origin://” in the address. However, two security researchers discovered that the app could be duped into running any app on an unsuspecting victim’s PC.
According to the security researchers, the bug occurred when players used EA Origin client but requested to edit their account on EA.com. A statement Beard made to Zdnet read, “The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password."
Additionally, IoT malware/botnets that have infected home routers will allow criminals to automate the mass collection of EA account data by using these auto-login URLs. Hackers can also use these URLs to collect information such as last digits of a user’s phone number, order history, last four digits of a saved credit card, a user’s real name and more.Hey @EAHelp@EA can we get someone to contact us at eabugbounty@protonmail.com? Auto-Login URL's are a very bad idea. Video below showcasing this bug, and allowing it to auto sign into an account on a browser with no cache or history of ever being to https://t.co/KvS2LlbXkv. pic.twitter.com/HGXoFUIvyI
— beard (@beardlyness) 7 October 2018
