Severity: Important
CVSS Score: 8.2
Impact: Tampering
Status: Fixed
Affected Software: Origin for Mac & PC version 10.5.86 (or earlier)
CVE ID: CVE-2020-15914
Description
A cross-site scripting (XSS) vulnerability exists in the Origin Client that could allow a remote attacker to execute arbitrary Javascript in a target user’s Origin client. An attacker could use this vulnerability to access sensitive data related to the target user’s Origin account, or to control or monitor the Origin text chat window.
Attack Scenario
To successfully leverage the vulnerability, the attacker must log into the Origin Client using a valid Origin account, and use Origin’s text chat functionality to send a specially crafted text chat message to the affected system. The crafted message contains a Javascript payload that will execute in the Origin Client, when the client next starts.
Mitigations
Mitigations describe factors that limit the likelihood or impact of an attacker successfully leveraging the vulnerability.
Workarounds
Workarounds are steps EA customers can take to reduce the potential for an attacker to leverage the vulnerability if they cannot or choose not to install the update.
Resolution
To address the vulnerability players with Administrator rights are advised to install the latest version of the Origin Client, version 10.5.87.
On the next player login, the player will be required to update before entering their credentials. If they are already logged in, they will need to restart Origin to get the update.
Frequently Asked Questions
How is Issue Severity Determined?
Issue severity is based on a 4-point scale ranging from Critical to Low. As part of our investigation, security engineers determine the overall ease of exploitation and how an attacker would need to successfully exploit the vulnerability. Typically, the fewer barriers that exist to exploitation combined with a higher Security Impact, the higher the Issue Severity designation. More information about how we classify security impact and severity can be found here.
What causes the vulnerability?
The vulnerability is caused by the method used to render text chat messages by the Origin Client’s web browser. This allows an attacker to supply arbitrary Javascript, which will execute on a target user’s Origin client under the authority of the www.origin.com domain.
Can this vulnerability be used to access or steal a player’s Origin account?
This vulnerability cannot be used to access or steal a player’s Origin account, or access their authenticated Origin client session.
What sensitive data is accessible using this vulnerability?
This vulnerability can be used to access the contents of the player’s chat messages, the player’s friends list, the player’s achievements, the player’s list of owned games and the player’s wishlist.
How do I know if I am vulnerable?
If Origin client version 10.5.86 or earlier is installed on the system, it is vulnerable to this issue.
How does the update resolve the vulnerability?
The update implements client-side and server-side content sanitisation and validation on the content that is sent and received in text chat messages.
Has this vulnerability been used against EA’s customers?
No. At the time of publication of this advisory we are not aware of any attacks against EA’s players that leverage this vulnerability.
Acknowledgement(s)
EA thanks the following security researcher for their discovery and reporting it to us in accordance with Coordinated Vulnerability Disclosure practices:
Date Published: October 29, 2020
Version: 1.0