Ubisoft looks into potential backdoor in Uplay rewards software

Games developer Ubisoft is looking into a potential backdoor in its Uplay in-game rewards software.

The backdoor could reportedly allow an attacker to gain control of a PC through a browser with the Uplay plug-in installed.

The alarm over the potential back door in Uplay — which allows gamers to connect, and get rewards, when using Ubisoft games such as Assassin's Creed II — was raised by Tavis Ormandy, an information security engineer at Google.

"While on vacation recently I bought a video game called Assassin's Creed Revelations," Ormandy said in a post on the Full Disclosure mailing list on Sunday. "I noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

Ormandy published some untested proof-of-concept exploit code in the post.

A spokesman for Ubisoft confirmed on Monday the company was investigating the reports of a backdoor in Uplay, but did not provide further information.

According to F-Secure chief research officer Mikko Hypponen, the potential backdoor could allow a hacker to remotely control a PC by launching malicious code from a website.

"It seems to be that if the [Uplay] software is installed by a gamer, and they access a website you control, you can execute arbitrary code on that system," Hypponen told ZDNet on Monday.