Ubisoft looks into potential backdoor in Uplay rewards software

A vulnerability in Ubisoft's Uplay connection and rewards software could allow a hacker to remotely control a system, according to security company F-Secure

Games developer Ubisoft is looking into a potential backdoor in its Uplay in-game rewards software.

The backdoor could reportedly allow an attacker to gain control of a PC through a browser with the Uplay plug-in installed.

Uplay Ubisoft
Ubisoft is investigating reports of a backdoor in its Uplay software.

The alarm over the potential back door in Uplay — which allows gamers to connect, and get rewards, when using Ubisoft games such as Assassin's Creed II — was raised by Tavis Ormandy, an information security engineer at Google.

"While on vacation recently I bought a video game called Assassin's Creed Revelations," Ormandy said in a post on the Full Disclosure mailing list on Sunday. "I noticed the installation procedure creates a browser plug-in for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

Ormandy published some untested proof-of-concept exploit code in the post.

A spokesman for Ubisoft confirmed on Monday the company was investigating the reports of a backdoor in Uplay, but did not provide further information.

According to F-Secure chief research officer Mikko Hypponen, the potential backdoor could allow a hacker to remotely control a PC by launching malicious code from a website.

"It seems to be that if the [Uplay] software is installed by a gamer, and they access a website you control, you can execute arbitrary code on that system," Hypponen told ZDNet on Monday.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All