Origin game platform sends login and messages in plain-text

The chat functionality in EA’s game distribution and management platform, Origin, sends your Origin unique account number (“username”) along with a login token to the Origin Chat servers when the client logs in. Any presence data (availability), as well as any messages to and from friends or in the public chat rooms, are also sent unencrypted.

You’re probably not sharing anything more sensitive than Battlefield game strategies through the Origin Chat client. However, chats with your friends about what you do to the poor people in the life-simulator franchise The Sims could be a bit more awkward to explain. Talking about the tactical deployment and use of real-world weapons and explosives inside the Battlefield universe could sound bad out of context.

Every app maker and website have rushed to encrypt all their online services since the big global surveillance revelations two years ago. Especially any kind of messaging service has taken to encrypting everything possible by default. Your possibly expensive library of games in the Origin service is protected by the same account and login as the chat service. Anything valuable is, of course, a target for hackers who could resell an account full of games. Apparently, EA haven’t gotten the memo that they need to secure these things.

The Chat functionality in the Origin client can’t be disabled. Until EA fixes their client security, you should avoid logging in to the service while on a public Wi-Fi hotspot or when you’re under other risky network conditions. Remember to disable the option for starting Origin when you login to Windows to reduce the risk of accidental exposure when roaming with your laptop.

EA’s chat server over at chat.dm.origin.com — running on Tigase XMPP Server from the looks of things — doesn’t even support encryption. Tigase does support it, so it would just be a matter for EA of upgrading the Origin clients and enabling encryption server-side. This is standard stuff and well tested by others already.

On a side-note, it’s nice to see another user and implementation of the open-standards Extensible Message and Presence Protocol (XMPP, formerly known as “Jabber.”) This sees to have been known since at least 2011, when Joel Jayarajasingam documented how to connect to Origin’s chat using the Pidgin instant messaging client.

I’ve reached out to EA for a comment ten months ago, but haven’t yet received a reply.

Tested against the Origin Chat servers and the Origin client version on 2015-06-29. Testing consisted of passive network monitoring, as well as minimal and benign client simulations against EA’s servers.