Users of the EA Origin gaming platform are being urged to install a critical update after a security flaw was discovered that could have potentially allowed cybercriminals to install malicious files on millions of systems.
Origin allows users to buy, download and play popular Electronic Arts titles such as Anthem and Apex Legends, and franchises including FIFA, The Sims and Assassin’s Creed.
The flaw affected those running Origin on Windows devices. It resulted from the platform’s use of a custom URL scheme. Links starting with origin:// could be placed in web pages, which would then open a page within the Origin client.
Cybersecurity experts from Underdog Security found that malicious actors could exploit this to trick Origin into running any application on a user’s device. While there is no evidence that the flaw has been used with malicious intent, this could have potentially been used to issue commands to the system to download and run malware on the system.
EA has confirmed that the latest Origin critical update, which was rolled out on Monday, has corrected the issue.
Could the Origin critical update have been avoided?
While EA seemingly patched the issue before it was discovered and exploited by malicious actors, Oleg Kolesnikov, vice president of threat research and head of Research Labs at Securonix, previously told Verdict that “Where there is one, there is often much more to find”.
There is never a shortage of software vulnerabilities discovered in products after launch. A vulnerability was recently discovered in software pre-installed to Huawei’s Matebook laptops (in software pre-installed to Huawei’s Matebook laptops), as well as in pre-installed apps on Xiaomi’s smartphones.
However, according to Jake Moore, Cybersecurity Specialist from ESET, increased testing of products for such flaws prior to release could help to avoid issues later on.
“Here is another example why ethically hacking your own software is extremely valuable rather than just simple testing,” he said.
“Luckily, this was patched before any data was largely exposed but hopefully this will act as a wakeup call for other companies of all sizes to further test and attack their own products before release and then continually try to break in.”
Calling on white hat hackers
“Using white hat hackers to attack your own code and applications is very beneficial to a company of this nature especially when their target audience is known to be more advanced and equipped with knowledge to test and look out for vulnerability,” Moore said.
White hat hackers, otherwise known as ethical hackers, specialise in penetration testing systems to discover any security vulnerabilities. These vulnerabilities are then reported to the organisation in order to patch and improve security.
The State of Technology This Week
White hat hackers are increasingly being called upon by businesses to test their security in a safe, controlled way.
According to HackerOne’s Hacker-Powered Security Report, more than 72,000 vulnerabilities have been discovered and resolved by users on its platform since 2012, with companies shelling out more than $31m on ethical hacking in the same period.