Critical flaw found in Blizzard’s Overwatch, World of Warcraft

Thursday, 1 February, 2018

A member of Google’s Project Zero Team has discovered a critical flaw in all of Blizzard’s online games, including Overwatch and World of Warcraft, that could allow a hacker to run malicious code on a gamer’s computer.

Hugely popular Blizzard games including Diablo III regularly command half a billion users every month.

But after Tavis Ormandy reported the issue to Blizzard, the company suddenly went dark and implemented their own fix.

Google researchers questioned the company’s stance, saying this patch is unlikely to last, and indicated that they expect it “to break in future”.

Which games are affected?

World of Warcraft is a hugely popular multiplayer online role-playing game released in 2004.

It remains the world’s most-subscribed MMORPG with Blizzard boasting it had created over 100 million accounts since its inception.

The game is set in the fantasy world of Azeroth and players can take on a multitude of roles, improving their character and interacting with others.

Overwatch is a highly successful team-based multiplayer online first-person shooter released in 2016.

It has become one of the forerunners of competitive gaming with an Overwatch international league where permanent teams compete against each other.

How the bug works

To play Blizzard games online using web browsers, players need to install a game-client application called Blizzard Update Agent.

This is a program which runs in the background and automatically starts up when your PC boots. It checks for software updates and automatically downloads and installs them if found.

But Tavis Ormandy found that the Blizzard Update Agent was vulnerable to a hacking technique known as DNS Rebinding.

This allows any website to act as bridge between the malicious server and your computer and is then able to attack any other computers on the network.

At first it seems Blizzard were regularly communicating with Mr Ormandy but then suddenly stopped. In the meantime, they rolled out their own patch, which he described as a ‘bizarre solution’.

I’m not pleased that Blizzard pushed this patch without notifying me.

The obvious flaw in this scheme is that the blacklist needs to be complete and maintained, so I expect it will break in the future or for users on unusual browsers.

- Tavis Ormandy: Researcher, Google Project Zero Team

Mr Ormandy, who published a test case for the attack has said he will now look at other online games to see if the flaw is as widespread as he fears.

MAIN IMAGE: dronepicr/CC BY 2.0

Tim Bamford author picture


Tim is a veteran freelance journalist writing extensively on internet news and cybersecurity.