Warning: Big Security Risk In Some Ubisoft PC Games

really wish I hadn't searched Google Images for 'backdoor'

Update – Ubisoft may have plugged the hole, but it’s difficult to know for sure as they don’t appear to be discussing the issue. There are reports on the Ubi forums (thanks, Imperial Dane) that Uplay has been updated to version 2.04, which if the commenter is accurate bears the note “‘Fix addressing browser plugin. Plugin now only able to open uPlay application.” If your Uplay hasn’t/won’t update to version 2.04, I’d get rid of it and its plugin for now. To be honest I’d get rid of the plugin regardless, until we’re sure the problem’s been resolved.

We’re currently investigating the full extent of this, but moralising and recrimination can come later. For now, the important thing is to warn folks who have certain Ubisoft games installed on their PCs that an apparent backdoor has been discovered in the Uplay infrastructure/DRM which may in theory allow any anyone so minded to install God knows what horrors on your PC. It isn’t confirmed as definite, but certainly proof of concept code is calling up Uplay windows and then loading other programs from websites that have nothing to do with Ubisoft. If Uplay is on your PC, I urge you to uninstall it and any games that use it immediately, until we know more. Update: the flaw lies specifically in a browser plugin Uplay quietly installs, and the general consensus is now that’s all you need to remove to protect yourself. See below for details on how to rid your PC of it.

Essentially, as described here, with the right piece of code any website can call up a Uplay window and from that might be able to slip a program install or launch of their choice onto your PC. Were someone with malevolent intent to inject the code onto a commonly-visited website, they might be able to gain control over any number of PCs – or install keyloggers, viruses and the like, or just plain old wipe your hard drive. The web security expert we chatted to says this could even occur via an email link, making this exploit a phisher’s dream if it’s as a bad as it sounds.

Says the expert we spoke to, “you could click on a weblink, thinking you were visiting the BBC News Website from a friendly list of bookmarks. Except it’d also install a program via UBISoft’s DRM plugin which wiped your hard drive. It is a genuine threat. All it would take is an exploited wordpress, say.”

But I come here not to sensationalise, but to warn. With news of this backdoor spreading like wildfire and proof of concept code already out there, there’s a very real chance that someone will try to achieve something unpleasant with it before Ubisoft can shut it down. That’s presuming it is what it appears to be, of course – this may turn out to be an exaggeration, especially as the internet does so love to mock Ubi’s notorious DRM, but so far the evidence very much points to this being as dangerous as it sounds. I’ve contacted Ubisoft for comment and will update as and when we know more. There’s been no response as yet, and other sites are reporting similar silence.

The fault does appear to specifically lie with a browser plugin Uplay installs rather than Uplay itself, so remove that from your Firefox/Chrome/IE/etc extensions as a priority, but I’m erring on the side of extreme caution and advocating the removal of anything associated with Uplay until this apparent threat is dealt with. Here’s how to locate and disable the errant plugin:


Firefox:
Tools – Add-ons – Plugins – Disable the Uplay and Uplay PC Hub plugins

Chrome:
Visit about:plugins and disable

Opera:
Settings – Preferences – Advanced – Downloads – Search “Uplay”, delete

(Via Revisor on our forums).

Contrary to what some parts of the web are currently screaming, this is not a rookit – it’s an exploit in a browser extension. Alas, the vast majority of folk with said browser extension will have been hitherto unaware that Uplay had installed it.

You can find the games which apparently include the exploit listed below. If you have any of them on PC, I would urge you to uninstall them and any Uplay applications as soon possible as a precautionary measure. If you have any of these games on your PC, you can also see the apparent exploit harmlessly in action with the link here.

We’ve tested with a PC that has never had Uplay installed on it. The exploit didn’t work at all. After installing Uplay alone, immediately the test link did indeed work, calling up the Uplay window, and then with that, booting the Windows Calculator. After uninstalling Uplay, the exploit once again didn’t work.

Calculator’s hardly scary of course, but if someone could use the exploit to slip another program onto your PC or run command lines, anything could happen. Frightening – even if there is still something of a question mark over exactly what level of access a nasty soul could go on to achieve. Additionally, this software would appear to allow Ubisoft to monitor PCs running Uplay, but again let’s wait for more details before any hammers of judgement are wielded.

It appears versions of some of these games are Uplay-free and thus in theory safe, but again it may be better to be paranoid than sorry. You can always reinstall later, right? I’d also urge you to check your list of installed programs in Windows, just in case an old install of the Uplay launcher/plugin is hanging around despite your having previously uninstalled any games that used it.

Here’s the list of titles known to be affected:

Assassin’s Creed II
Assassin’s Creed: Brotherhood
Assassin’s Creed: Project Legacy
Assassin’s Creed Revelations
Assassin’s Creed III
Beowulf: The Game
Brothers in Arms: Furious 4
Call of Juarez: The Cartel
Driver: San Francisco
Heroes of Might and Magic VI
Just Dance 3
Prince of Persia: The Forgotten Sands
Pure Football
R.U.S.E.
Shaun White Skateboarding
Silent Hunter 5: Battle of the Atlantic
The Settlers 7: Paths to a Kingdom
Tom Clancy’s H.A.W.X. 2
Tom Clancy’s Ghost Recon: Future Soldier
Tom Clancy’s Splinter Cell: Conviction
Your Shape: Fitness Evolved

I’m not at all certain that list is complete, given other games are known to use Uplay – From Dust, for instance. Check your program installs and browser extensions/plugins for any trace of it regardless – it might be there from an older install even though the game that carried it is no longer on your PC.

Again, more news as we have it.

217 Comments

  1. Metalhead9806 says:

    I uninstalled the two games that used Uplay (AC Rev, SC Conv), I uninstalled the Ubisoft game launcher.
    Problem is i dont see the extention in my Chrome or Internet explorer web browser.

    I use Chrome 100% and i pased that url link and i didnt see any Uplay PC addon/extension.

    How do i look for it in Internet explorer, Even though i dont use it Uplay could have installed the extension to that browser at the time.

    Please help im having a small panic attack.

    • Optimaximal says:

      Uninstalling UPlay may have removed them.

      IE Plugins are managed via Tools > Manage Add-Ons.

  2. Axess Denyd says:

    Uplay sucks in every way possible.

    It even breaks savegames in AssCreed 2.

    Every time I want to play, I hit play in Steam, wait for Uplay to happen, load AssCreed in safe mode, load a saved game, which is always right at the beginning of the game, then exit, watch uplay sync with the cloud, then load AssCreed in safe mode again, and then load my saved game which will actually be in the right place.

    Failure to load in safe mode causes my saved game to be completely lost.

    There are a TON of people with this issue, and they completely failed to patch it. Seriously considering pirating AssCreed 2 so I can actually play it without loading repeatedly. …also all the times the launcher sits idle gets recorded as playtime, so it looks like I have played almost 60 hours instead of 9 or so.

  3. AbyssUK says:

    This is awesome, please hackers of the world can you go for the Origin plugin next, am sure that’s got more security holes than the Olympic park.

    • Kadayi says:

      Hackers didn’t do this.

      • Milky1985 says:

        i think he means for them to go poke the origin system to find the expliots and holes, as i think the origional poster is either a white hat hacker or a serurity researcher.

  4. Tim Ward says:

    Would it be untoward of me to ask what a piece of DRM is doing silently installing a browser plugin?

    • GlasWolf says:

      I suspect it’s “because everyone else does it”.

      • Tyraa Rane says:

        But…everyone else doesn’t do it. I’ve got Steam and (Cthulhu help me) GFWL installed on my PC right now. My Firefox install remains cheerfully unmolested; no browser plugins from either of them. This is the first time I’ve ever heard of a DRM scheme sticking its nose into a web browser.

        And “what in the bloody hell is uPlay doing installing a browser plugin without my consent” was the first question that came to mind when I read this article, too. Seriously, Ubisoft. What the actual hell made you think that was a good idea and not a privacy (and now security) debacle waiting to happen?

      • Cooper says:

        Nope. Sure, many installers ASK to install annoying toolbars and whatnnot.

        but, importantly, they ask.

        This was installed without request; that’s the awful thing about this.

      • Tim Ward says:

        But *what is it doing* – what purpose does the plugin serve? If it’s hidden, i.e not some zany toolbar, then I can only assume it’s up to no good.

  5. Metalhead9806 says:

    Is it possible that I dont have the extension in my chrome or internet explorer browsers? I looked everywhere and I dont see Uplay PC anywhere. Only Ubisoft game i played in the last four months was AC Rev and I dont remember Uplay updating at all.

    • Optimaximal says:

      This is only a problem with the recent 2.0 update to UPlay that happened about a month ago. The older version wasn’t affected.

  6. Cryo says:

    Why the hell would it install browser plugin in the first place? What purpose does it serve? Just mindboggling. I’ve never joined any boycotts but I think I’m just done with ubisoft now.

  7. explodeydendron says:

    I can’t find any Uplay plugins, even with Ass Creed Bro installed. What’s up with that?

  8. Diago says:

    I can confirm that a lone installation of From Dust (Steam version) is also vulnerable to this exploit. The link provided also summons Windows Calculator after activating Uplay.

  9. nēģeris says:

    Pirates do not have problems like this…

  10. TwwIX says:

    As if i needed another reason to avoid their games. Somebody needs to make an example out these assholes. How the fuck do we not have laws against this type of invasive DRM?

  11. Martel says:

    This is my punishment for finally buying an Ubisoft game. I held out for so long due to all their various garbage and got one on the Steam sales. Then this….guess I learned my lesson about buying their games.

  12. Elmokki says:

    I bought some Assassin’s Creed games in the Steam sale. Is it safe to install these if I remove the plugin right after or does it get mysteriously reinstalled all the time when I try to play?

    It’s pretty damn sad, but there’s a big incentive here to just pirate the game I actually own just to avoid terrible DRM.

    Oh well, my own fault I suppose. I was boycotting Ubisoft due to the DRM that I hated even before this backdoor, but Steam sale made me buy some games since they were cheap.

  13. Maldomel says:

    Can I laugh at Ubisoft?
    Seriously, I hope they don’t get away clean with this shit.

  14. WJonathan says:

    “Calculator’s hardly scary of course,”
    Speak for yourself!

  15. Heliocentric says:

    Freaking Ubisoft DRM, when will they learn. I’d actually argued in favour of a few recent Ubisoft games despite UPlay’s presence, without them formally apologising and rescinding UPlay entirely I will not be talking about anything they play, and not buying anything either for that matter.

    • Mbaya says:

      I think I’m pretty much in the same boat. Never been a fan of their DRM, but I lived with it…it exhists, if I want to play a selection of their games I can jump through that hoop.

      This on top of every other situation their DRM has raised…well, its the straw that broke the camels back for me.

      It might be hard to resist some titles, if I’m weak and cave in maybe I’ll even still get them for a console (its sucky to miss out on a great game and the work a developer has put into that, when this seems to be a publisher controlled issue) but they seriously need to reevaluate how they’re handling the PC space and at the very, very least we need a well thought out apology and not their usual PR jibberish over this matter.

  16. malkav11 says:

    It’s not installed on my machine, though uPlay and several games that use it (acquired for dirt cheap, mind you) are. I assume this is because I haven’t run any of them in months and so uPlay has not updated itself to turn into a webstore.

  17. Rossi says:

    It would be ironic if this exploit managed to give hackers what they need to pirate ubisoft software.

  18. rocketman71 says:

    Glad I didn’t buy anything Ubi in the Steam sale due to their shitty DRM. Seems it was shitty in more ways that I thought.

    What a mess. Are the idiots at Ubi ever going to recant their shitware?.

  19. mechabuddha says:

    Now I know for a fact that I have UPlay installed on my computer. But I can’t find a UPlay plugin in Chrome. Should I uninstall UPlay entirely just to be on the safe side?

    • Torgen says:

      Given this asshattery on Ubisoft’s part, I wouldn’t assume uninstalling Uplay would uninstall the browser extension.

  20. boxfish says:

    Hm, I uninstalled AC: Revelations and now can’t find any trace of Uplay on my system. Not sure if it’s been automatically uninstalled or something. Any ideas?

  21. Stuart Walton says:

    Chrome lists the file as being installed at:
    C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
    MIME type: application/x-uplaypc
    So you can always see if you can find it there.

    It ended up being installed after I went back to play a bit more Assassins Creed Brotherhood (via Steam). When I first installed it I was able to play without a uPlay account, but they patched it and I could find no way to launch the game without logging into uPlay.

    That in itself was a poor show from UbiSoft. This browser plugin is a catastrophe.

  22. Tyraa Rane says:

    Would someone care to enlighten me as to why a DRM scheme is installing a plugin in my web browser?

    • akeso says:

      So ubisoft can use a link on their website to launch uplay.

      That’s the only reason your computer was just left naked on a street corner in the internet universe.

      Gotta love improved user functionality right?

  23. Dark Nexus says:

    I can confirm that “From Dust” does install the browser plugin. So it can be added to the list of affected games.

    • yhancik says:

      I have installed and played From Dust (although it was in january) but I couldn’t find the plugin in Firefox nor Chrome…

  24. Daryl says:

    Good thing I do not support Ubisoft. Otherwise, I might be worried.

  25. Wynter says:

    OK, so I’ve disabled the plugin in both Chrome and Firefox; tried the exploit link in both and they’re fine.

    I could not find a Uplay plugin in IE under “Manage add-ons” anywhere, looked in all the sub-categories. The exploit still works there, though. Is it named something else in IE9? Is there a different way to disable it?

    I do not want to disable IE9, since for some rare sites IE is still necessary. Similarly, I’m playing Driver: SF and don’t want to kill off Uplay completely.

    Any thoughts on how to find/disable this plugin in IE9?

    • Dark Nexus says:

      I can’t speak for IE9, but it doesn’t seem to have installed in IE8. Every other browser on my system had it, but checking the link to test with from the article in IE8 brought no results.

      • Wynter says:

        Exploit still present in Internet Explorer 9, cannot find any way to disable the Uplay plugin. Does not seem to be an issue in IE9 64-bit version.

        Any thoughts?

        • Dark Nexus says:

          Okay, found it in 8…

          Tools > Manage Add-Ons > Change “Show: Currently loaded add-ons” to “Show: All add-ons” > Scroll down the list to find Uplay.

          I’m installing IE9 right now, so I’ll hunt it down there too.

  26. BlitzThose says:

    guess I should consider myself lucky I only installed one of these affected ubitard games in the last couple of days

  27. Metalhead9806 says:

    Ubisoft why do you punish me for supporting you?

  28. Jim9137 says:

    That’s a wonderful shot headlining. Is there a higher resolution one?

  29. Calabi says:

    This should be illegal. Installing things without the players consent and other such trangressions like not know what they fuck they are doing.

    The internet is like the wild west only worse. There’s no one looking after the consumers, or upholding a law or minimum standards. No one looking at these sorts of things. If your not an expert or go to people in the know your fucked.

    The lack of security and accountability must be a major impact economically on the internet. Through people to worried to buy, losing money, or not investing.

  30. Bettymartin says:

    Posted on the first post for visibility but it looks like Ubi have issued a fix. My Uplay has updated and the revision notes suggest the plugin can now only start Uplay.

  31. vandinz says:

    JUST GOT AN UPDATE ON UPLAY. Fix addressing browser plugin. Plugin now only able to open Uplay application.

    • Premium User Badge

      merseybeatnik says:

      I downloaded the update claiming to have fixed the issue from Ubisoft and before disabling the plug-in I clicked on Revisor’s link to test whether the the vulnerability was still exploitable and windows calculator still opens so I don’t know whether the update has solved it or not.

      • dE says:

        Well… yeah.
        I tried it, the update downloaded but this definitely did not fix it for me.

        • Bettymartin says:

          Calculator doesn’t open on mine since installing the update. Could it be a browser based issue maybe? I’m using Chrome.

          • cgf says:

            Did you restart the browser? It may still have the old version loaded.

  32. Urthman says:

    I played AssCreed 2 a while ago, but apparently not recently enough to have received the U-Play plugin. It’s not installed in my Firefox.

  33. Skabooga says:

    Well, now that you’ve used the ‘aaaaargh’ tag, I request, nay demand, that it be used once more to do a retrospective on this game:

    link to mobygames.com

  34. Blackseraph says:

    Hehe. Wow.

    Marvellous way to advertise drm for their customers.Not only are they useless they are also harmful!

    Good thing I don’t play their games, yet another reason not to.

  35. Kid_A says:

    The worst part of this isn’t the security hole – that can be patched, and in the event that anyone has lost anything, they can pursue damages.
    The worst part is the complete lack of communication from Ubisoft about the error apart from that one tiny patch note that does little to really allay any worries about UPlay. PC gaming and PC gamers yet again being mistreated and swept under the rug. This is why I refuse to buy any Ubisoft game unless it’s on a console second-hand: I refuse to give a company who treats their customers so poorly a single penny.

  36. zeroskill says:

    Well, good thing I don’t own any Ubisoft games!

  37. Azhrarn says:

    Oddly enough, I have both H.A.W.X. 2 and R.U.S.E., they’re currently not installed, but were until recently. However the plug-in isn’t present in either of my browsers (Chrome and IE).

    So it looks like uPLAY uninstalls it’s plug-ins when you remove the software that was using it.

  38. Forceflow says:

    If the only reason that this plugin exists is to let browsers launch Uplay, Ubisoft have been retards.

    Steam registers itself to launch steam:// URL’s, much like a file handler. That’s the right way to do it, not using a plug-in.

    Sigh.

  39. psyk says:

    Rar rar rar oh wait meh link to citizenlab.org

    EDIT – people are clicking on a “clean” exploit link HAHAHAHAHAHAHAH oh dear and after RPS was hacked.

  40. webtax says:

    anyone knows which browsers are affected?

  41. captain nemo says:

    Good thing I stopped buying anything from Ubisoft a while back

  42. Shodex says:

    I enjoy a lot of Ubisoft franchises, and as a result I have a level of respect for them. Moreso than most of the big gaming corporations. But Uplay is getting out of hand, how can something that previously wasn’t needed at all be so damn troublesome?

  43. E_FD says:

    Incredible. I have Assassin’s Creed: Brotherhood installed, so I checked the link and Chrome’s plugins; the link didn’t do anything and Uplay wasn’t listed among the plugins, so I figured I was safe, but I decided to run AssBro again just to make sure.

    The game starts up with a “Patching…” bit, then tells me “Congratulations, Uplay has been updated to 2.03!” 2.03, not 2.04, the one that’s supposed to fix this crap. And NOW I’ve got the Uplay plugin on Chrome that I have to disable.

    What a f***ing pathetic piece of s***.

  44. RegisteredUser says:

    “the flaw lies specifically in a browser plugin Uplay quietly installs”

    You couldn’t make anything more genius up. An illegitimately installed piece of DRM related nonsense leading to PC intrusion / malware results from the same folks that ideally would like you to be online all the time, so that being vulnerable to the world ideally makes the most sense.

    Hooray for taking away every last bit of consumer rights and control over what you get, own, and install.

  45. tomemozok says:

    Am i the only one that noticed Assassins creed 3 on this list???
    How can a game that hasn’t come out yet be affected by this???
    Does this mean that AC 3 is in beta or smthing?