Blizzard Authenticator Flow [ITA]

[LinK] WoW-Europe Forums discussion
[LinK] English Version (Potete commentare qui)

Video, o non è mai successo (cit.)

Si, sono giunto alla conclusione di non poter più tenere la mia bocca chiusa. La Blizzard è probabilmente ancora impegnata con l’espansione, e scommetto tutto quel che ho che non spenderanno del tempo nel risolvere un problema di sicurezza di cui nessuno è a conoscenza. Il che mi lascia due opzioni: lavarmene le mani o informare la gente e dir loro come prevenire una tragedia simile (mi è successo, so come ci si sente).

Prima di tutto, iniziamo con l’e-Mail che ho inviato alla Blizzard:

Reference: http://forums.wow-europe.com/thread.html?topicId=6365388840&sid=1

So, basically I don’t know how you could ever mess up a thing like this, but ok, let’s explain.

Once you fire up the Blizzard Authenticator, you paste it in the login screen and that’s it, the number is saved and it can’t be used anymore. Also, if not used within a certain time will eventually expire. And we all know this. The problem is, how did you implement this?

Once you use the code, it gets saved to the account. And that’s what screws up the security. As long as you have a single Authenticator for a single account, you’re safe, but when you start to use a single Authenticator (as you all suggested aswell) for multiple accounts, you are screwed. Example:

Account 1, generated code 123321, I log in and write the code down.
10 minutes later, Account 2, another generated code 321123, I log in.
20 minutes later, Account 3, 123321 or 321123 doesnt matter, I log in.
Or Account 1 with 321123, or Account 2 with 123321 for the matter. It doesn’t matter, they all work.

This is where your problem relies. You didn’t do the right thing. You didn’t have to save the generated codes by account, but by Key ID instead. If you don’t all the valid keys generated (and logged) for an account, may be used on the other account to. Authenticator beated by a keylogger, that’s the most ironic thing ever.

Here’s the deal: when a user logs in check the Authenticator ID saved with his account, and then in a new table save the code by AuthID, and not in the account data. This will probably increase collisions, but better having collisions than hacked accounts, don’t you think?

Looking for an early reply.

Sincerely yours,
Skizo

Ora, se avete letto e capito penserete “ok, quindi ti hanno risposto, no?”. Estratto dalla risposta automatica:

A causa dei grossi volumi di email ricevuti dalla sezione Hacks & Anti-Pirateria non è sempre possibile per noi rispondere individualmente a tutte le segnalazioni e questa potrebbe essere l’unica email che ricevete da noi riguardo la faccenda.

Come potete capire, la mia unica opzione era di aspettare una e-Mail che potrebbe non arrivare mai nel terrore che per il momento in cui arrivi sia già troppo tardi, o rilasciare le informazioni. Col sangue da giornalista che mi ritrovo, non potevo fare nulla di meno di ciò che sto facendo, ed ho aspettato anche troppo a lungo per farlo.

Così, in breve, cos’ha tutto questo a che fare con me? Avanti con le spiegazioni.

Le basi del Blizzard Authenticator

Blizzard Authenticator, così come tutti gli altri generatori di chiavi dello stesso tipo, funziona così: generate un codice, usate un codice, diventa impossibile usare lo stesso codice di nuovo. Questo previene gli hacks subiti a causa di keyloggers, perché anche se gli hacker sono in possesso del vostro username e della vostra password, non possono passare l’ultimo test, che è una chiave unica generata a singolo uso. Un sistema comune anche a diverse banche che effettuano transazioni online. Il BA fa la stessa cosa. Il problema sta nel come è stato realizzato.

Se avete un singolo account ed un singolo BA, siete al sicuro. Dormite tranquilli. Se invece avete più di un account come me, non vi è concesso dormire. Dov’è che si è infranta la sicurezza? Se non l’avete capito dall’e-Mail qui sopra, ve lo spiegherò in brevi termini:

  • Avete due account
  • Generate il codice 123456 per loggarvi con l’Account1
  • Il codice 123456 viene salvato per l’Account1
  • Dato che l’Account1 e l’Account2 condividono lo stesso BA ma il codice 123456 non è stato salvato per l’Account2, allora potrete usare il codice 123456 per il vostro altro account, infrangendo così la sicurezza di una chiave a singolo utilizzo.

Questo significa che se gli hackers diventano abbastanza veloci, mentre loggate col vostro account principale, potrebbero mandarsi il codice che avete usato e nel frattempo loggare con l’altro vostro account. Certo, richiede del tempismo e buone capacità, ma non credo che sia una ragione per rilassarsi.

Ci sono diverse soluzioni per questo comunque. La prima sarebbe far fare alla Blizzard un fix nelle loro tabelle. Dovrebbe funzionare così:

  • Avete due account
  • Generate il codice 123456 per loggarvi con l’Account1
  • L’Account1 usa il BA1
  • Il codice 123456 viene salvato per il BA1
  • L’Account2 usa anch’esso il BA1, per questo il codice 123456 non può essere utilizzato di nuovo per loggarsi con un altro account, così come il codice 654321 generato per loggarsi con l’Account2 non può essere utilizzato per loggarsi con l’Account1.
  • Faccia sorridente qui 🙂

Dato che è alquanto improbabile che succede in un prossimo futuro (sapete, corporazioni multinazionali…) sono arrivato a trovare un paio di suggerimenti che potreste usare per risolvere il problema la maggior parte delle volte (ci sono alcune eccezioni di cui io stesso sono a conoscenza, so che sono soltanto delle soluzioni temporanee).

  • Se avete molteplici account e molteplici Authenticators (proprio come me), vi suggerisco di unbindare (rimuovere il collegamento) tra il vostro BA e tutti gli account che possedete tranne uno, e di usare gli altri authenticators per ogni account. Un BA per un account, torna ad essere 100% sicuro.
  • Se invece non siete propensi a farlo (proprio come me) potete usare un piccolo giro durante il login. Diciamo che volete loggare col vostro Account1. Generate il codice, loggate con l’Account2, sloggate, riloggate con l’Account1 e lo stesso codice. Siete al sicuro.
  • Scocciate la Blizzard finché non risolvono il problema (ehi, scherzo). (No, forse no).
  • Pregate Dio se ci credete.

Non c’è molto altro da fare. Personalmente io uso il secondo metodo nella lista.

L’unica cosa che vi chiedo a questo punto è di passar parola. L’unico modo per essere sicuri a questo mondo è sapere cosa ci circonda. Se sapete dove il problema risiede allora sapete come risolverlo. Allo stesso tempo se la gente sa dove risiede la vulnerabilità, allora sanno come proteggere se stessi.

Nella speranza che non sia già troppo tardi.

Blizzard Authenticator Flaw

[LinK] WoW-Europe Forums discussion
[LinK] Versione italiana

Video, or it never happened.
Yes, I came to the conclusion I can’t keep my mouth shut any longer. Blizzard is probably still busy with the expansion, and I bet my socks they won’t spend any time fixing a security flaw nobody knows about. Which leaves me to options: wash my hand or inform the crowd and tell them how to prevent such a tragedy (been there, done that). First off, let’s start with the e-Mail I’ve sent to the Blizzard.

Reference: http://forums.wow-europe.com/thread.html?topicId=6365388840&sid=1 So, basically I don’t know how you could ever mess up a thing like this, but ok, let’s explain. Once you fire up the Blizzard Authenticator, you paste it in the login screen and that’s it, the number is saved and it can’t be used anymore. Also, if not used within a certain time will eventually expire. And we all know this. The problem is, how did you implement this? Once you use the code, it gets saved to the account. And that’s what screws up the security. As long as you have a single Authenticator for a single account, you’re safe, but when you start to use a single Authenticator (as you all suggested aswell) for multiple accounts, you are screwed. Example: Account 1, generated code 123321, I log in and write the code down. 10 minutes later, Account 2, another generated code 321123, I log in. 20 minutes later, Account 3, 123321 or 321123 doesnt matter, I log in. Or Account 1 with 321123, or Account 2 with 123321 for the matter. It doesn’t matter, they all work. This is where your problem relies. You didn’t do the right thing. You didn’t have to save the generated codes by account, but by Key ID instead. If you don’t all the valid keys generated (and logged) for an account, may be used on the other account to. Authenticator beated by a keylogger, that’s the most ironic thing ever. Here’s the deal: when a user logs in check the Authenticator ID saved with his account, and then in a new table save the code by AuthID, and not in the account data. This will probably increase collisions, but better having collisions than hacked accounts, don’t you think? Looking for an early reply. Sincerely yours, Skizo

Now, you’re also thinking “so, you got an answer right?”. Excerpt from the automatic response:

Due to the volume of email received by the Hacks & Anti-Piracy team it is not always possible for us to respond to each report individually and this may be the only email you receive from us regarding this matter.

As you can see my only option was either to wait an e-Mail that would never arrive in the frightening that by the time it’s fixed it’s already too late, or spread the informations. With a journalist blood in my veins, I couldn’t do any less than this, I’ve already waited too long. So, in short, what has all this have to do with me? On to explain.

The basics of Blizzard Authenticator

Blizzard Authenticator, just like any other key-generator of its kind, works like this: generate a code, using the code, making impossible to use the same code once again. This prevents hacks due to keyloggers, because even if the hackers have your username & password, they can’t pass the final test, which is a one time generated key. The BA does just the same. The problem relies in the way it’s been realized. If you have a single account and a single BA, you are safe. Sleep tight. If you use multiple accounts like me, you’re not allowed to sleep tight. Where did the security break? If you didn’t understand by the mail above I’ll explain in short terms:

  • You have two accounts
  • You generate code 123456 to log with Account1
  • The code 123456 gets saved for Account1
  • Since Account1 and Account2 share the same BA but the code 123456 has not been saved for Account2, then you can use 123456 for your other account too, breaking thus the security of a one-time generated key.

This means that if the hackers become fast enough, while you log in on your main account, they could send through the net the generated key, and use it with your other account to do what they should. Sure, it requires some timing and some good skill, but I don’t think that’s a reason to be relaxed. There are some workaround for this though. The first would be to make Blizzard fix their tables (as in data storage system, not furnitures). It should work like this:

  • You have two accounts
  • You generate code 123456 to log with Account1
  • Account1 uses BA1
  • Code 123456 gets saved for BA1
  • Account2 uses BA1 too, so the code 123456 can’t be used again to log with another account, just as much code 654321 used to log with Account2 can’t be used to log with Account1.
  • Happy face here 🙂

Since this it’s unlikely to happen in a near future (you now, multinational corporations…) I came up with a couple suggestions that I use and may fix your problems most of the time (there are a few exceptions I’m aware of myself, so I know these are just temporary fixes).

  • If you have multiple accounts and you have multiple Authenticators (just like me), I suggest you to unbind the single one you use from all the accounts and just leave it to one.
  • If you’re unwilling to do so (just like me) you can use a little twist with the login. Say, you want to login with Account1. Generate a code, log with Account2, log out, log back in with Account1 and the same code. You’re safe.
  • Bother Blizzard until they fix this (hey, I’m jk). (No, maybe not).
  • Pray to God if you do believe in him.

There’s not much more to do. I personally use the second method described above. The only thing I ask you at this point is to share the word. The only way to be safe in this world is to know what surrounds us. If you know where the problem relies, you know how to fix it. At the same time, if people get to know where’s the vulnerability they get to know how to get themselves safe. In the hope it’s not already too late.

Blizzard Authenticator Exploit

Today I decided to warn Blizzard about the security flaw in their “Blizzard Authenticator” implementation.

As a couple of you know already (literally a couple) I have found a way to bypass it. Should a hacker find the same method I discovered, it would make those authenticators close to useless.

For the moment Blizzard decided just to ignore me, which is eventually making me upset.

I don’t know as of now if or when I will disclose the news to the public, but if Blizzard keeps ignoring me that shall happen soon. Very, very soon.

Update: it seems that my last comment (and one of the repliers) have been just trashed. Total replies: 2, only comment visible: mine. Oh, Blizz, that’s a no-no.

Update #2: They eventually answered and showed it all back. Stay tuned. Moar updates soon.

The “Wonderful” Nerf

I’ll cut it short and rantful. Hoomins are now useless.

What that translate it to?

Fuck you blizz. Srsly.

And all you naysayers too. I give SHIT EMfH it’s not a trinket, the only thing that a human could use to fight against stealthed (or better, to prevent terrible stunlocks 100-0) was Perception, which has been basically taken away. Rogues can easily get off with poisons + double stun after the ability has just been popped. Difference is that now we’re fucked up. So go die in hell if you think otherwise, careface.

Ups, I did it again

I know guys, you’re all thinking “another frickin’ batch-update?”. At least the ones of you who give a damn.

Well, to my excuse I should note all the yearly events or pre-WotLK preparations we’ve been doing. Example:

Bloodsail Buccaneers Admirals
Bloodsail Buccaneers Admirals

How to achieve that you ask? Well, just kill everyone in Booty Bay until you get hated with Booty Bay (and the whole Steamwheedle Cartel by the time you finish), and friendly with Bloodsail Buccaneers. Pretty arse, but the Parrot is great. Harrr.

But this only took a couple nights. This is what kept us busy for the whole Brewfest time:

Great Brewfest Kodos in Line
Great Brewfest Kodos in Line
Kodo Aerobics
Kodo Aerobics

That took us a long time. And for the matter, last mount got us dubbed ‘ninjas’ for a misunderstanding with a rogue, go figure.

Anyways, I’m still around. Just hang around.

MOAR is to come soon, especially for locks and the users of my addons.

Videos from Northrend

Just to pick up the pace once again, I’d like to share a couple videos I took a long time ago in my Northrend trips.

Behold! The ship! And carrots. On a stick! ’nuff said.

If some of you got an epic flying mount, then probably knows that if you get to be shot a fireball/shadowbolt/anything like that while you’re at full throttle, the little thing will keep following you forever and ever (the speed of those things appear to be around 280%+10%). Blizzard took it one step further: while roaming in a camp, I’ve been thrown an axe, which apparently can’t beat the 100% speed barrier. Poor axe.

L70ETC – Power of the Horde (Live from BRD)

I gave my word to Tiamat that I’ll be posting this video, so here we go: L70ETC – Power of the Horde (Live from BRD).

DeathIncarnate, the Origins

DeathIncarnated the Lock
DeathIncarnate the Lock

Some people have been wondering where did the name DeathIncarnate came out for me, so I thought that it was a good time to explain it up.

That nerdy gf of mine uses to roam around “zeh interwebs” looking for some random stuff. She eventually stepped inside the blog of a Holy Priest, read a funny article and made me read it too. Aside the fact it was actually funny, I’ve been sometimes dubbed DeathIncarnated ever since.

Group Questing

That means that while TankMaster is getting healed, so is FidoPet, OverzealousMage, and DeathIncarnate, the warlock that’s already killed five mobs, and is wondering what’s taking the rest of you so long.

[Source]. The part which made us laugh as hell, was the fact that just 2 days before we had to farm some Clefthooves, and so we did. While she was killing one mob I random DoTted 4-5 of them, and when she was finished killing her first I already started with the 6th. And, in addition, her brother who just stepped in called her useless, laughing at her DPS.

The “Egotistical Priest” has also forged another term. So if you want to know who the Holy Bowler is (Draenei Paladin actually), you should really read this. Or not. It’s not like I care either.

I see living Kodos

If you ever played with me in WoW, then you probably know that one of my greatest regrets of playing Alliance is that I can’t have a kodo. Or is it?

Brewfest came (more on it later), and kodos came along. So I’m very proud to present you my own personal [Great Brewfest Kodo].

I’d add a “WOOT! WOOT!” here, but I’ll just stick to images.

And one...
And one…
... and two...
… and two…
... and three!!
… and three!!

Lotta love <3

“We don't stop playing because we grow old; we grow old because we stop playing.”