Categories
Information

Blizzard Authenticator Flaw

[LinK] WoW-Europe Forums discussion
[LinK] Versione italiana

Video, or it never happened.
Yes, I came to the conclusion I can’t keep my mouth shut any longer. Blizzard is probably still busy with the expansion, and I bet my socks they won’t spend any time fixing a security flaw nobody knows about. Which leaves me to options: wash my hand or inform the crowd and tell them how to prevent such a tragedy (been there, done that). First off, let’s start with the e-Mail I’ve sent to the Blizzard.

Reference: http://forums.wow-europe.com/thread.html?topicId=6365388840&sid=1 So, basically I don’t know how you could ever mess up a thing like this, but ok, let’s explain. Once you fire up the Blizzard Authenticator, you paste it in the login screen and that’s it, the number is saved and it can’t be used anymore. Also, if not used within a certain time will eventually expire. And we all know this. The problem is, how did you implement this? Once you use the code, it gets saved to the account. And that’s what screws up the security. As long as you have a single Authenticator for a single account, you’re safe, but when you start to use a single Authenticator (as you all suggested aswell) for multiple accounts, you are screwed. Example: Account 1, generated code 123321, I log in and write the code down. 10 minutes later, Account 2, another generated code 321123, I log in. 20 minutes later, Account 3, 123321 or 321123 doesnt matter, I log in. Or Account 1 with 321123, or Account 2 with 123321 for the matter. It doesn’t matter, they all work. This is where your problem relies. You didn’t do the right thing. You didn’t have to save the generated codes by account, but by Key ID instead. If you don’t all the valid keys generated (and logged) for an account, may be used on the other account to. Authenticator beated by a keylogger, that’s the most ironic thing ever. Here’s the deal: when a user logs in check the Authenticator ID saved with his account, and then in a new table save the code by AuthID, and not in the account data. This will probably increase collisions, but better having collisions than hacked accounts, don’t you think? Looking for an early reply. Sincerely yours, Skizo

Now, you’re also thinking “so, you got an answer right?”. Excerpt from the automatic response:

Due to the volume of email received by the Hacks & Anti-Piracy team it is not always possible for us to respond to each report individually and this may be the only email you receive from us regarding this matter.

As you can see my only option was either to wait an e-Mail that would never arrive in the frightening that by the time it’s fixed it’s already too late, or spread the informations. With a journalist blood in my veins, I couldn’t do any less than this, I’ve already waited too long. So, in short, what has all this have to do with me? On to explain.

The basics of Blizzard Authenticator

Blizzard Authenticator, just like any other key-generator of its kind, works like this: generate a code, using the code, making impossible to use the same code once again. This prevents hacks due to keyloggers, because even if the hackers have your username & password, they can’t pass the final test, which is a one time generated key. The BA does just the same. The problem relies in the way it’s been realized. If you have a single account and a single BA, you are safe. Sleep tight. If you use multiple accounts like me, you’re not allowed to sleep tight. Where did the security break? If you didn’t understand by the mail above I’ll explain in short terms:

  • You have two accounts
  • You generate code 123456 to log with Account1
  • The code 123456 gets saved for Account1
  • Since Account1 and Account2 share the same BA but the code 123456 has not been saved for Account2, then you can use 123456 for your other account too, breaking thus the security of a one-time generated key.

This means that if the hackers become fast enough, while you log in on your main account, they could send through the net the generated key, and use it with your other account to do what they should. Sure, it requires some timing and some good skill, but I don’t think that’s a reason to be relaxed. There are some workaround for this though. The first would be to make Blizzard fix their tables (as in data storage system, not furnitures). It should work like this:

  • You have two accounts
  • You generate code 123456 to log with Account1
  • Account1 uses BA1
  • Code 123456 gets saved for BA1
  • Account2 uses BA1 too, so the code 123456 can’t be used again to log with another account, just as much code 654321 used to log with Account2 can’t be used to log with Account1.
  • Happy face here 🙂

Since this it’s unlikely to happen in a near future (you now, multinational corporations…) I came up with a couple suggestions that I use and may fix your problems most of the time (there are a few exceptions I’m aware of myself, so I know these are just temporary fixes).

  • If you have multiple accounts and you have multiple Authenticators (just like me), I suggest you to unbind the single one you use from all the accounts and just leave it to one.
  • If you’re unwilling to do so (just like me) you can use a little twist with the login. Say, you want to login with Account1. Generate a code, log with Account2, log out, log back in with Account1 and the same code. You’re safe.
  • Bother Blizzard until they fix this (hey, I’m jk). (No, maybe not).
  • Pray to God if you do believe in him.

There’s not much more to do. I personally use the second method described above. The only thing I ask you at this point is to share the word. The only way to be safe in this world is to know what surrounds us. If you know where the problem relies, you know how to fix it. At the same time, if people get to know where’s the vulnerability they get to know how to get themselves safe. In the hope it’s not already too late.

10 replies on “Blizzard Authenticator Flaw”

Yes it would. And I happen to own two authenticators. Problem is, why should I use two? Just because Blizzard failed in doing their job?

Sounds so cheesy to me… :\

Or you just skip those porno sites and think before downloading any shit? And you wont get any key loggers! And a hacker wont be able to hack you? :> Even if the system is kinda failing, it’s a cheap one! To make one you are asking for would cost a lot more and an regular customer wouldn’t afford to get one for himself. There might be a failure, but YOU will always be the biggest failure if you get hacked.

I’d like to make you aware of a few things:

First: what you are saying makes totally no sense.

Second: not everybody is able to play in totally safe conditions. The only time I got hacked, for once, was when I logged on my sysadmin’s friend notebook, in his network café. Little that he knew, back in the UICentral days, he got a keylogger on.

Third: if somebody happens to be in need to play from another computer, say, from a network café, should be a little more protected, and this by far is a great solution. And the usual explanations such as “if you’re not on your computer do not do anything at all” just plainly suck, and I’m not discussing here why.

Fourth: I’m not asking anything different from what I have, I just pretended (and obtained, albeit in a small part) the server-side code of the authenticator to be fixed. Again what you’re saying makes TOTALLY NO SENSE. It would cost a lot more? Regular customers wouldn’t afford it? WTF?!? Did you even understand what I wrote here? Guess not.

Fifth and last: I’m BLOODY TIRED of idiots just like you who blame people for getting keyloggers, or being hacked or whatever. When I got hacked I’ve been called a power-leveler, a gold-buyer, a moron, a porn-downloader, an idiot and whatnot. Guess what, it wasn’t even closely my fault, neither my friend went “browsing” “those porno sites” or “downloading any shit”. In certain border-line conditions, there’s not much you can do. Stop being a jerk.

Overally I’d like to tell you to both re-read and try to understand what I wrote and go get a clue.

Or just get the hell out, that’ll do too.

Peace.

How about another solution that you never thought of. After you login to Account # 1, press the Blizzard Authenticator again. This will generate another code that needs to be used to login and will not be picked up by a key logger since you will not be typing this code in. Problem solved, one Blizzard Authenticator, multiple accounts, no problems. 😉

It would be a good idea if that’s how the authenticators worked, which is clearly not the case. The only thing the auth will do is provide you with a valid code (for a limited set of time) to allow you to login. Creating a new one won’t disable the previous one. It’s not sort of a car alarm system. You can do the following: type in the first one, generate a second one, and then log still with the first one. Since the auth data is not synchronous, your procedure won’t work, while it “kinda” would work given some of the car alarm systems.

Good call though 🙂

I hate to urinate on your bonfire but your forgetting 1 crucial mentality not related to blizzard or players, The key logger and the hackers themselves. They will be key logging LOADS of people at the same time (they are making a large scale business out of this), its irrational to think that they would read your specific key log string within minutes of it arriving and then utilising it before the code expires, the chance of that happening is approximately the same chance as your vindictive flat mate borrowing your Authenticator when your not looking and raping your account. Even if it did happen you can bet your butt the chance of it happening again would be even smaller as you would have been bathed in advice about not being dumb enough to brows key logger hotspots and to get anti viral software to nail the loggers. and just as important you would still get most if not all your losses back from the hack. It may not be an air tight system but its a bloody good one for dummies that don’t brows safe and for the rare accidents.

Feel free to urinate at your wish, anyway I totally agree with you and, as things stand now (or how we think they stand) it’s not possible. Anyway what left me kind of worried was the easiness of an automation to ease such process. Considering how things stood back in the day, it was very easy to implement an automatic workaround right inside the keylogger itself.

Anyway we’re talking about more than one year ago, and a lot of fixes have been made to remove the problem. Such as, for example, the (now) impossibility to use the same code to log into game & website (clicky, clicky, remove auth, bye).

So, at the very end of things, would you leave a 1y+ post alone? 🙂