EA Patches Major Security Flaw In its Origin Launcher

(Image credit: Shutterstock)

Underdog Security, a cybersecurity and penetration testing consultancy firm, revealed yesterday that a security flaw in Electronic Arts' Origin game launcher enabled remote code execution. That means someone could have exploited the vulnerability to "execute any kind of commands their heart desired," as the security firm put it, on any Windows system with Origin installed. (The macOS version of the launcher wasn't affected by the flaw.) EA fixed the problem on Monday, TechCrunch reported. 

Underdog said it was "simply curious and looking around at the origin2 URI handler, when we came across a parameter where we could supply data that would be echoed back to us in the Origin client, prompting us to start tinkering." They eventually found a way to inject templates into Origin, and because the launcher is based on AngularJS, they easily found ways to escape sandboxing to wreak havoc on a target system.

It's hard to imagine now, but there was a time when PC games didn't even require launchers. Someone could just pop their physical storage media of choice into their machine, install the game on their system and then run it like they would run any other program. Now it seems like there are countless companies trying to own every step along the PC gaming process with their own storefront-social-platform-launcher apps, like Origin.

Let's just count some of the more notable options. Valve leads the market with Steam, CD Projekt Red offers DRM-free titles via GOG, Activision Blizzard has expanded the scope of Battle.net in recent years, Twitch briefly decided to help streamers monetize via the Twitch Game Store, Discord brought game commerce into its chat platform, and Epic Gamescreated the oft-contentious Epic Games Store. And, of course, there's Origin.

Many of these launchers use popular multiplayer titles to effectively force people to use them. Steam is the only way to play Valve games, like Dota 2, Counter-Strike: Global Offensive and Team Fortress 2. Battle.net houses the likes of Overwatch, World of Warcraft and Call of Duty: Black Ops 4. The Epic Games Store originally housed Fortnite, and Origin probably saw a massive spike as tens of millions of people played Apex Legends.

That means developers can attract people to their platforms with exclusive first-party titles before using other methods, from exclusive releases to discounted prices, to keep them coming back for more. But most people are unlikely to go all-in on a single platform--they're allowed to like Dota 2, World of Warcraft, Fortnite and Apex Legends. They don't want to abandon their game libraries, either, so they have to use multiple launchers.

It's easy to see how that would get frustrating. Underdog's discovery of this Origin vulnerability also shows how it can be dangerous. Installing more launchers means attackers have more potential ways to compromise a system. Maybe the belief that every company needs its own launcher will fade, but right now, it's putting people at risk by forcing them to use tools they probably didn't want to use in the first place.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.