Uplay, Ubisoft's digital distribution service, has been temporarily disabled following a flaw that allowed ne'er-do-wells to download free games - including the as-yet unreleased Far Cry 3: Blood Dragon.
Ubisoft has taken its Uplay digital distribution service offline, after a flaw was discovered that allowed ne'er-do-wells to download games without payment - even making off with unreleased titles.
When gameplay footage for the upcoming first-person eighties-throwback shooter Far Cry 3: Blood Dragon leaked, Ubisoft was eager to figure out how the individual had got his or her hands on the title. Had it been leaked by a reviewer? Had their internal servers been attacked? Was one of their own employees leaking pre-release titles, heaven forfend?
The answer, it transpires, was at once simpler and more concerning: a flaw in the Uplay digital distribution service was allowing those with the knowledge to authorise their own transactions, downloading titles without having to go through that awkward having-to-actually-pay-for-them stage of the purchasing process. Worse, the flaw exposed titles that had been registered within the service but not actually launched, including the new Far Cry 3: Blood Dragon title.
By exploiting the flaw, the details of which will not be shared here, attackers were able to authorise the download for Far Cry 3: Blood Dragon without actually having purchased it - something they couldn't have done legitimately, as Ubisoft has yet to release the title for sale. Once downloaded, the title would run as normal. For a digital distribution service, which lives or dies by publisher confidence in the veracity of purchases and the strength of its digital rights management (DRM) implementation, that's hardly good news.
Ubisoft, naturally, is eager to get to the bottom of the problem. Accordingly, it has taken Uplay offline temporarily in order to find and fix the flaw, during which time it will also be conducting a thorough survey of user accounts to find those who had benefited from the exploit. Any account which shows a game as being owned without a corresponding purchase record, and especially those that profess to own pre-release titles, will likely find their accounts shuttered and may, depending on how far Ubisoft wishes to take their investigation, find themselves on the sharp end of some legal proceedings.
The company has released a statement that claims the flaw does not expose personal details of Uplay customers, and the outage will not affect other Ubisoft online services - just the download facility of Uplay. Thus far, the company has not provided a timescale as to when Uplay will be returned to normal.