Ubisoft looks into potential backdoor in Uplay rewards software

Summary:A vulnerability in Ubisoft's Uplay connection and rewards software could allow a hacker to remotely control a system, according to security company F-Secure

Games developer Ubisoft is looking into a potential backdoor in its Uplay in-game rewards software.

The backdoor could reportedly allow an attacker to gain control of a PC through a browser with the Uplay plug-in installed.

Uplay Ubisoft
Ubisoft is investigating reports of a backdoor in its Uplay software.

The alarm over the potential back door in Uplay — which allows gamers to connect, and get rewards, when using Ubisoft games such as Assassin's Creed II — was raised by Tavis Ormandy, an information security engineer at Google.

"While on vacation recently I bought a video game called Assassin's Creed Revelations," Ormandy said in a post on the Full Disclosure mailing list on Sunday. "I noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

Ormandy published some untested proof-of-concept exploit code in the post.

A spokesman for Ubisoft confirmed on Monday the company was investigating the reports of a backdoor in Uplay, but did not provide further information.

According to F-Secure chief research officer Mikko Hypponen, the potential backdoor could allow a hacker to remotely control a PC by launching malicious code from a website.

"It seems to be that if the [Uplay] software is installed by a gamer, and they access a website you control, you can execute arbitrary code on that system," Hypponen told ZDNet on Monday.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.