Ubisoft's online service, uPlay, has had a real vulnerability exposed, that can be used to view customer files and information.
While it was initially thought that this was a deliberate backdoor hidden by programmers of the service, it seems more likely now that it is an unintentional vulnerability. IT “experts” speaking with CVG, said that: “Functionality in the uPlay browser extension, that normally enables games to be launched from a web browser, turns out can also be used to launch any other program on the system.”
“In the demonstration making its rounds on the internet, the code launched a calculator.”
While this might not have been a big problem if uPlay was voluntary, the fact that it was designed as a DRM system to protect the company's games and is therefore mandatory, makes it a real issue. Gamers are being forced to install software that is inherantly insecure and potentially provides hackers with a loophole.
“I noticed the uPlay installation procedure creates a browser plugin for its accompanying uPlay launcher, which grants unexpectedly (at least to me) wide access to websites,” said one hacker on the Ycominator forum, when discussing the vulnerability.
KitGuru Says: Ubisoft will need to jump on this in some official manner if it doesn't want to risk alienating consumers and its player base.