Critical flaw found in Blizzard’s Overwatch, World of Warcraft

Thursday, 1 February, 2018

A member of Google’s Project Zero Team has discovered a critical flaw in all of Blizzard’s online games, including Overwatch and World of Warcraft, that could allow a hacker to run malicious code on a gamer’s computer.

Hugely popular Blizzard games including Diablo III regularly command half a billion users every month.

But after Tavis Ormandy reported the issue to Blizzard, the company suddenly went dark and implemented their own fix.

Google researchers questioned the company’s stance, saying this patch is unlikely to last, and indicated that they expect it “to break in future”.

Which games are affected?

World of Warcraft is a hugely popular multiplayer online role-playing game released in 2004.

It remains the world’s most-subscribed MMORPG with Blizzard boasting it had created over 100 million accounts since its inception.

The game is set in the fantasy world of Azeroth and players can take on a multitude of roles, improving their character and interacting with others.

Overwatch is a highly successful team-based multiplayer online first-person shooter released in 2016.

It has become one of the forerunners of competitive gaming with an Overwatch international league where permanent teams compete against each other.

How the bug works

To play Blizzard games online using web browsers, players need to install a game-client application called Blizzard Update Agent.

This is a program which runs in the background and automatically starts up when your PC boots. It checks for software updates and automatically downloads and installs them if found.

But Tavis Ormandy found that the Blizzard Update Agent was vulnerable to a hacking technique known as DNS Rebinding.

This allows any website to act as bridge between the malicious server and your computer and is then able to attack any other computers on the network.

At first it seems Blizzard were regularly communicating with Mr Ormandy but then suddenly stopped. In the meantime, they rolled out their own patch, which he described as a ‘bizarre solution’.

I’m not pleased that Blizzard pushed this patch without notifying me.

The obvious flaw in this scheme is that the blacklist needs to be complete and maintained, so I expect it will break in the future or for users on unusual browsers.

- Tavis Ormandy: Researcher, Google Project Zero Team

Mr Ormandy, who published a test case for the attack has said he will now look at other online games to see if the flaw is as widespread as he fears.

MAIN IMAGE: dronepicr/CC BY 2.0

Tim Bamford author picture


Tim is a veteran freelance journalist writing extensively on internet news and cybersecurity.

News What's the story?

Keep up with the latest developments in UK broadband.

BT and O2 launch 5G in the same week!

BT and O2 are the latest networks to enter the bitter high street 5G battle.

BT and O2 launch 5G in the same week!BT and O2 launch 5G in the same week! Read more

UK Porn block for children has been scrapped.

The government’s controversial ‘porn blocker’ plan, mired in delays and problems, has been officially scrapped.

Read more

Gigaclear undertake costly fibre install UNDER River Severn to reach rural customers

The upstart ISP embarks on ambitious plan to ensure rural customers have access to full fibre broadband!

Read more

New rules bring full-fibre to apartment blocks

New measures help ISPs sidestep rogue landlords

Read more

Help Learn with us

Make the most of the internet with our broadband library.

Minimum connection speeds for common online activities

Read more

How many companies provide full fibre broadband?

Read more

What is Britbox, and how do I get it?

The latest addition to the crowded TV Streaming market may struggle to break through

Read more