Games developer Ubisoft is looking into a potential backdoor in its Uplay in-game rewards software.
The backdoor could reportedly allow an attacker to gain control of a PC through a browser with the Uplay plug-in installed.
The alarm over the potential back door in Uplay — which allows gamers to connect, and get rewards, when using Ubisoft games such as Assassin's Creed II — was raised by Tavis Ormandy, an information security engineer at Google.
"While on vacation recently I bought a video game called Assassin's Creed Revelations," Ormandy said in a post on the Full Disclosure mailing list on Sunday. "I noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."
Ormandy published some untested proof-of-concept exploit code in the post.
A spokesman for Ubisoft confirmed on Monday the company was investigating the reports of a backdoor in Uplay, but did not provide further information.
According to F-Secure chief research officer Mikko Hypponen, the potential backdoor could allow a hacker to remotely control a PC by launching malicious code from a website.
"It seems to be that if the [Uplay] software is installed by a gamer, and they access a website you control, you can execute arbitrary code on that system," Hypponen told ZDNet on Monday.