Ubisoft looks into potential backdoor in Uplay rewards software

Ubisoft looks into potential backdoor in Uplay rewards software

Summary: A vulnerability in Ubisoft's Uplay connection and rewards software could allow a hacker to remotely control a system, according to security company F-Secure

TOPICS: Security

Games developer Ubisoft is looking into a potential backdoor in its Uplay in-game rewards software.

The backdoor could reportedly allow an attacker to gain control of a PC through a browser with the Uplay plug-in installed.

Uplay Ubisoft
Ubisoft is investigating reports of a backdoor in its Uplay software.

The alarm over the potential back door in Uplay — which allows gamers to connect, and get rewards, when using Ubisoft games such as Assassin's Creed II — was raised by Tavis Ormandy, an information security engineer at Google.

"While on vacation recently I bought a video game called Assassin's Creed Revelations," Ormandy said in a post on the Full Disclosure mailing list on Sunday. "I noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

Ormandy published some untested proof-of-concept exploit code in the post.

A spokesman for Ubisoft confirmed on Monday the company was investigating the reports of a backdoor in Uplay, but did not provide further information.

According to F-Secure chief research officer Mikko Hypponen, the potential backdoor could allow a hacker to remotely control a PC by launching malicious code from a website.

"It seems to be that if the [Uplay] software is installed by a gamer, and they access a website you control, you can execute arbitrary code on that system," Hypponen told ZDNet on Monday.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Responsible disclosure?

    Ormandy has an interesting attitude to disclosing vulnerabilities; rather than notifying companies, he tends to post proof-of-concept attacks publicly first.