Games = Geeks, Geeks = People with Access (New Paths To Transparency)

Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs by Mohit Kumar.

From the post:

A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers.

Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment.

To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.”
… (emphasis in original)

See Kumar’s post for the details on “DNS Rebinding.”

Unless you are running a bot net, why would anyone want to hijack millions of PCs?

If you wanted to rob for cash, would you rob people buying subway tokens or would you rob a bank? (That’s not a trick question. Bank is the correct answer.)

The same is true with creating government or corporate transparency. You could subvert every computer at a location but the smart money says to breach the server and collect all the documents from that central location.

How to breach servers? Target sysadmins, i.e., the people who play computer games.

PS: I would not be overly concerned with Blizzard’s reported development of patches. No doubt other holes exist or will be created by their patches.

Leave a Reply

You must be logged in to post a comment.