A major security vulnerability plaguing a number of popular video games made by game developer Activision Blizzard allowed hackers to remotely run malicious code on the machines of millions of gamers.

The security vulnerability was first discovered by Google Project Zero researcher Tavis Ormandy and was disclosed to Blizzard in December. The vulnerability affected titles including “World of Warcraft,” “Overwatch,” “Diablo III,” “Starcraft II” and others.

The bug has since been fixed—albeit unsatisfactorily—by Blizzard but when it was active, it could have been the basis for a particularly devastating attack that could have affected the nearly half a billion gamers who play games made by Blizzard every month.

According to Ormandy, the vulnerability stemmed from the Blizzard Update Agent, a standalone application installed alongside all Blizzard titles that is designed to identify and install updates and patches as they are made available.

The updater also allows commands to be entered that can change settings, perform maintenance and execute other actions—a feature that can be exploited by an attacker thanks to the way the Blizzard Update Agent was configured.

The updater would run code delivered through a server with a customized authentication system designed to check and make sure all changes being made are legitimate. However, that process could be bypassed through an attack called Domain Name System (DNS) rebinding.

Ormandy explained that “any website can simply create a DNS name that they are authorized to communicate with” and then make it communicate with the update agent’s server. By manipulate the DNS rebinding attack, a threat actor could make the Blizzard Update Agent execute any number of actions through code delivered remotely.

The Google researcher created a proof-of-concept exploit that showed how such an attack would work and proved that it could be executed in a matter of about 15 minutes. He delivered that proof-of-concept to Blizzard on Dec. 8, 2017.

Shortly after informing Blizzard of the issue and having some communication with the company, Ormandy said the video game developer froze him out. Blizzard cut off communications on December 22 and quietly issued a patch for the issue without consulting with Ormandy or informing its users of the issue.

Ormandy took issue with how Blizzard handled the situation, calling the patch the company provided a “bizarre solution.”

The researcher also said, “I'm not pleased that Blizzard pushed this patch without notifying me, or consulted me on this” and suggested that it was likely the fix provided by the game maker would likely be broken again and require future fixes.

A representative for Blizzard replied in the comments of Ormandy’s report and said the fix issued was not intended to be a final resolution for the issue. “We're in touch with Tavis to avoid miscommunication in the future,” the representative said.

RELATED STORIES
Security Blizzard Security Google