I doubt we’ll be hearing too much more about yesterday’s Uplay drama, given the security hole appears to have been safely plugged before any malevolent souls could take advantage of it. Ubisoft have passed further comment on the issue as they saw it, however, claiming an exploit that allowed a vast amount of access to Uplay users’ PCs was the result of a “coding error” and that their online infrastructure/shop/DRM did not include a rootkit.
“The Uplay application has never included a rootkit,” a spokeshuman told Kotaku. “The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed unintended access to systems usually used by Ubisoft PC game developers to make their games.”
Why was the browser plugin there, on top of Uplay itself? Why are we not made aware of it and given the choice to refuse it when Uplay is installed?
Added Ubisoft, “The browser plugin that we used to launch the application through Uplay was able to take command line arguments that developers used to launch their games while they’re being made. This weakness could allow the application to specify any executable to run, rather than just a game. This means it was possible to launch another program on the machine.”
Why did such a severe error slip through? If a company is going to make such great efforts to include online functionality, shouldn’t the protection of their customers be of at least as much importance as the protection of their copyrighted products? I know programming errors are essentially inevitable, but this was a huge thing to miss. And it wouldn’t have been there at all if there wasn’t a silently-installed browser plugin.
While there’s still no sign of an apology for leaving so many of their customers vulnerable to attack as a result of this sloppiness, Ubisoft point out that they fixed the patch quickly – apparently a working build was in testing some 90 minutes after they heard about the exploit, and went live around eight hours later. That is pretty quick, but I don’t grasp why they didn’t warn their customers to disable Uplay in the meantime. Hackers can work fast too, y’know?
Kotaku also claim, in the medium of reported speech, that Ubisoft said the exploit ‘was not tied to’ its notorious DRM. Hmm. That’s probably true – it’s part of the whole Uplay infrastructure (i.e. DLC sales, achievements, social networky stuff) rather than the DRM specifically. But again, why was the browser plugin needed at all, in addition to the Uplay app? I will send an e-card to the first person that can convincingly explain this to me.