Between the "SimCity" fiasco and the resignation of its CEO, this has already been a bad week for video game giant Electronic Arts, but it's about to get worse. Origin, the client that EA uses to sell its games digitally, possesses a critical security flaw that could open the client's 40 million users to malware attacks.
Security enthusiasts at this year's Black Hat conference in Amsterdam demonstrated the attack, which is both subtle and simple to enact, as it requires only routine action on the user's part. A theoretical hacker would only have to modify a script in Origin's inner workings.
When users open games from Origin, the program confers with EA servers before the game launches. Since this process requires an Internet connection, a modified script could very easily force a user onto a compromised webpage and fill his or her system with unwanted spyware or malware.
One of the few saving graces about such a hack is that it would be very easy to detect. By default, Origin warns users before loading outside websites, and launching an Internet browser would generally cause the launched game to minimize.
This would allow users to see the warning, avoid the harmful page and perhaps even take steps to fix the program. However, users can set Origin to load outside pages by default, meaning that a user could compromise his or her system simply by booting up a game. [See also: 10 Things You Must Know About Malware Infections]
EA will address this vulnerability in the future, but since no actual attack has happened, the fix will come in its own time. "Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure," an EA spokesman told Ars Technica.
Now that this idea is out in the open, however, hackers will probably think of something different if they want to target Origin. Just to be safe, be sure to set Origin to ask before opening outside websites, and be suspicious of any links that try to open while you're gaming. Playing "SimCity" these days is challenging enough without adding malware into the mix.