EA Origin client bug allows threat actors to run remote code

[silversurfer]

A vulnerability in the Electronic Arts (EA)  online gaming platform Origin could allow an attacker to trick unsuspecting gamers into remotely running malicious code on their computer.
 
Security researchers Daley Bee and Dominik Penner of Underdog Security discovered the bug affecting tens of millions of Windows users with the Origin app installed, according to TechCrunch.
 
The researchers told the publication their proof-of-concept could allow an attacker to run “anything they wanted” and provided a code to test the exploit which allowed any app to run at the same level of privileges as the logged-in user. The exploit also allowed an attacker to send malicious PowerShell commands.
 
Bee was cited as saying a malicious link could be sent as an email or listed on a webpage, and could also be triggered if the malicious code was combined with a cross-site scripting exploit that ran automatically in the browser.
 
An attacker could also steal a user’s account access token using a single line of code to ultimately gain access to a user’s account without needing their password.
 
EA spokesperson John Reseburg confirmed a fix was rolled out Monday and the exploit no longer works following the update.

SOURCE: https://www.scmagazine.com/home/security...mote-code/