uPlay security flaw 'a huge risk' says hack expert

Ubisoft's PC service "does not feature rootkit, just really bad code"

Ubisoft must patch its uPlay online service "as a matter of urgency", an online security expert has told CVG.


Early reports indicate that Ubisoft's online PC network has been hacked into with new exposed data suggesting that the service includes an alleged "rootkit"; a term given for software that gains privileged access onto sensitive computer files.

Ubisoft has declined to comment at this early stage.

Rik Ferguson, the director of security research at Trend Micro, challenged the assumption that the service features a rootkit.

However, he added that the security flaw represents a huge risk and must be resolved immediately.

"This certainly looks like an easily exploitable software flaw, but I'm not sure I would go as far as calling it a rootkit," Ferguson told CVG.

"The reports state the exploitable code is in the form of a browser plugin, the plugin does not attempt to hide its presence on your system and can be relatively simply disabled. It's not a malicious root, just really bad code," he added.

Ferguson's account reflects another IT expert's view, who told CVG that the exploit was likely an unintentional security vulnerability, as opposed to an intentional backdoor left in the system.

uPlay is a mandatory service that registers PC games published by Ubisoft.

Ferguson urged Ubisoft to fix the loophole as soon as possible now that the exploit is public information.

"Pushing out such easily exploitable code, to such an easily targeted platform as a web browser through such a huge gaming population presents a huge risk and will of course be of interest to online criminals.

"Ubisoft should be patching this code as a matter of urgency and in the meantime, gamers should be disabling the plug-in".