Ubisoft looks into potential backdoor in Uplay rewards software
![tom-espiner.jpg](https://www.zdnet.com/a/img/resize/67310ee8f7e1f78d688a1d30b97fcd110e981c3a/2014/07/22/041da4a6-1175-11e4-9732-00505685119a/tom-espiner.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
Games developer Ubisoft is looking into a potential backdoor in its Uplay in-game rewards software.
The backdoor could reportedly allow an attacker to gain control of a PC through a browser with the Uplay plug-in installed.
![Uplay Ubisoft](https://www.zdnet.com/a/img/resize/bb3c9d0c2beef22f0c4e93b7eeb015d71a77527a/2014/10/05/71a9f334-4cd8-11e4-b6a0-d4ae52e95e57/uplay-ubisoft.jpg?auto=webp&width=1280)
The alarm over the potential back door in Uplay — which allows gamers to connect, and get rewards, when using Ubisoft games such as Assassin's Creed II — was raised by Tavis Ormandy, an information security engineer at Google.
"While on vacation recently I bought a video game called Assassin's Creed Revelations," Ormandy said in a post on the Full Disclosure mailing list on Sunday. "I noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."
Ormandy published some untested proof-of-concept exploit code in the post.
A spokesman for Ubisoft confirmed on Monday the company was investigating the reports of a backdoor in Uplay, but did not provide further information.
According to F-Secure chief research officer Mikko Hypponen, the potential backdoor could allow a hacker to remotely control a PC by launching malicious code from a website.
"It seems to be that if the [Uplay] software is installed by a gamer, and they access a website you control, you can execute arbitrary code on that system," Hypponen told ZDNet on Monday.