Home » News » Critical flaw found in Blizzard’s Overwatch, World of Warcraft

Critical flaw found in Blizzard’s Overwatch, World of Warcraft

Thursday, 1 February, 2018

A member of Google’s Project Zero Team has discovered a critical flaw in all of Blizzard’s online games, including Overwatch and World of Warcraft, that could allow a hacker to run malicious code on a gamer’s computer.

Hugely popular Blizzard games including Diablo III regularly command half a billion users every month.

But after Tavis Ormandy reported the issue to Blizzard, the company suddenly went dark and implemented their own fix.

Google researchers questioned the company’s stance, saying this patch is unlikely to last, and indicated that they expect it “to break in future”.

Which games are affected?

World of Warcraft is a hugely popular multiplayer online role-playing game released in 2004.

It remains the world’s most-subscribed MMORPG with Blizzard boasting it had created over 100 million accounts since its inception.

The game is set in the fantasy world of Azeroth and players can take on a multitude of roles, improving their character and interacting with others.

Overwatch is a highly successful team-based multiplayer online first-person shooter released in 2016.

It has become one of the forerunners of competitive gaming with an Overwatch international league where permanent teams compete against each other.

How the bug works

To play Blizzard games online using web browsers, players need to install a game-client application called Blizzard Update Agent.

This is a program which runs in the background and automatically starts up when your PC boots. It checks for software updates and automatically downloads and installs them if found.

But Tavis Ormandy found that the Blizzard Update Agent was vulnerable to a hacking technique known as DNS Rebinding.

This allows any website to act as bridge between the malicious server and your computer and is then able to attack any other computers on the network.

At first it seems Blizzard were regularly communicating with Mr Ormandy but then suddenly stopped. In the meantime, they rolled out their own patch, which he described as a ‘bizarre solution’.

I’m not pleased that Blizzard pushed this patch without notifying me.

The obvious flaw in this scheme is that the blacklist needs to be complete and maintained, so I expect it will break in the future or for users on unusual browsers.

- Tavis Ormandy: Researcher, Google Project Zero Team

Mr Ormandy, who published a test case for the attack has said he will now look at other online games to see if the flaw is as widespread as he fears.

MAIN IMAGE: dronepicr/CC BY 2.0

Tim Bamford author picture


Tim is a veteran freelance journalist writing extensively on internet news and cybersecurity.

News What's the story?

Keep up with the latest developments in UK broadband.

What is the splinternet of things?

The internet is increasingly fractured - is the IoT doomed to fail?

What is the splinternet of things?What is the splinternet of things? Read more

Zoom might not be as safe as you think!

Zoom has become an essential tool during lockdown, but there are risks.

Read more

5G conspiracy theories cause chaos, but why?

More 5G towers have been vandalised in the UK, why are people so scared?

Read more

Hackers are more active under lockdown

Read more

Help Learn with us

Make the most of the internet with our broadband library.

How to get around the 40 minute limit on Zoom.

Zoom’s free service is a game changer, but the 40 minute limit is an issue.

How to get around the 40 minute limit on Zoom.How to get around the 40 minute limit on Zoom. Read more

Should I use the DuckDuckGo search engine?

Read more

Why are broadband contracts getting longer?

Read more

Bits and bytes and bandwidth speeds

Read more