EA Play FIFA 23 F1™ 22 Madden NFL 23 Apex Legends Battlefield™ 2042 The Sims 4 Electronic Arts Home Electronics Arts Home Latest Games Coming Soon Free-To-Play EA SPORTS EA Originals Games Library EA app Deals PC PlayStation Xbox Nintendo Switch Mobile Pogo The EA app EA Play Competitive Gaming Playtesting Company Careers News Technology EA Studios EA Partners Our Commitments Positive Play Inclusion & Diversity Social Impact People & Culture Environment Help Forums Player and Parental Tools Accessibility Press Investors Latest Games Coming Soon Free-To-Play EA SPORTS EA Originals Games Library EA app Deals PC PlayStation Xbox Nintendo Switch Mobile Pogo The EA app EA Play Competitive Gaming Playtesting Company Careers News Technology EA Studios EA Partners Our Commitments Positive Play Inclusion & Diversity Social Impact People & Culture Environment Help Forums Player and Parental Tools Accessibility Press Investors

Cross Site Scripting Vulnerability in Origin Client

EASEC-2020-003

Severity: Important

CVSS Score: 8.2

Impact: Tampering

Status: Fixed

Affected Software: Origin for Mac & PC version 10.5.86 (or earlier)

CVE ID: CVE-2020-15914

Description

A cross-site scripting (XSS) vulnerability exists in the Origin Client that could allow a remote attacker to execute arbitrary Javascript in a target user’s Origin client. An attacker could use this vulnerability to access sensitive data related to the target user’s Origin account, or to control or monitor the Origin text chat window.

Attack Scenario

To successfully leverage the vulnerability, the attacker must log into the Origin Client using a valid Origin account, and use Origin’s text chat functionality to send a specially crafted text chat message to the affected system. The crafted message contains a Javascript payload that will execute in the Origin Client, when the client next starts.

  1. If the message is delivered, and the system is not running the Origin Client at that time, the payload will execute when the user next runs the Origin Client.
  2. If the user is already running the Origin client when the message is delivered, the payload will not execute immediately. The attacker must wait for the user to restart the Origin Client, or otherwise convince the user to restart their Origin Client.

Mitigations

Mitigations describe factors that limit the likelihood or impact of an attacker successfully leveraging the vulnerability.

  • The payload sent by the attacker to the affected system will only be executed when Origin starts on the target user’s system. If Origin is already running on the target system, the attacker must convince the target user to restart their Origin client, or wait for the user to restart their Origin client.
  • An attacker can only send text chat messages to a specific user, if the user is on the attacker’s friends list. To attack an arbitrary Origin user that is not on their friends list, the attacker must first convince the user to accept an Origin friend request.

Workarounds

Workarounds are steps EA customers can take to reduce the potential for an attacker to leverage the vulnerability if they cannot or choose not to install the update.

  • There are no workarounds for this vulnerability. To address the vulnerability, players should follow the steps outlined in the Resolution section of this advisory.

Resolution

To address the vulnerability players with Administrator rights are advised to install the latest version of the Origin Client, version 10.5.87.

On the next player login, the player will be required to update before entering their credentials. If they are already logged in, they will need to restart Origin to get the update.

Frequently Asked Questions

How is Issue Severity Determined?

Issue severity is based on a 4-point scale ranging from Critical to Low. As part of our investigation, security engineers determine the overall ease of exploitation and how an attacker would need to successfully exploit the vulnerability. Typically, the fewer barriers that exist to exploitation combined with a higher Security Impact, the higher the Issue Severity designation. More information about how we classify security impact and severity can be found here.

What causes the vulnerability?

The vulnerability is caused by the method used to render text chat messages by the Origin Client’s web browser. This allows an attacker to supply arbitrary Javascript, which will execute on a target user’s Origin client under the authority of the www.origin.com domain.

Can this vulnerability be used to access or steal a player’s Origin account?

This vulnerability cannot be used to access or steal a player’s Origin account, or access their authenticated Origin client session.

What sensitive data is accessible using this vulnerability?

This vulnerability can be used to access the contents of the player’s chat messages, the player’s friends list, the player’s achievements, the player’s list of owned games and the player’s wishlist.

How do I know if I am vulnerable?

If Origin client version 10.5.86 or earlier is installed on the system, it is vulnerable to this issue.

How does the update resolve the vulnerability?

The update implements client-side and server-side content sanitisation and validation on the content that is sent and received in text chat messages.

Has this vulnerability been used against EA’s customers?

No. At the time of publication of this advisory we are not aware of any attacks against EA’s players that leverage this vulnerability.

Acknowledgement(s)

EA thanks the following security researcher for their discovery and reporting it to us in accordance with Coordinated Vulnerability Disclosure practices:

Date Published: October 29, 2020

Version: 1.0

Related News

EASEC-2020-002 - Elevation of Privilege Vulnerability in Origin Client

Electronic Arts Inc.
29/10/2020

EASEC-2019-001 - Elevation of Privilege Vulnerability in Origin Client

Electronic Arts Inc.
10/12/2019
Two vulnerabilities exist in the Origin Client Service for PC and Mac versions 10.5.55.33574 and earlier that could allow a non-Administrative user to elevate their access to System.