Imagine you could reach into an application that had none of the enterprise security protections we’ve come to appreciate but was still used by millions of people — themselves blissfully unaware of the risks the application posed — and use that vulnerable application to hack into millions of PCs.
That may sound like a dream scenario for cybercriminals, but it’s all too real thanks to modern video games.
Tavis Ormandy of Google’s Project Zero this week published details of a DNS rebinding flaw contained in the PC games of Blizzard Entertainment, including World of WarCraft, Overwatch, Hearthstone and StarCraft. The Blizzard security flaw, which is contained in a shared utility tool called “Blizzard Update Agent,” allows a malicious actor to impersonate the company’s network and issue privileged commands and files to the tool — which, again, is contained within all of Blizzard’s games and would theoretically put millions of players’ PCs at risk.
“Any website can simply create a DNS name that they are authorized to communicate with, and then make it resolve to localhost,” Ormandy wrote in the Chromium bug report. “To be clear, this means that *any* website can send privileged commands to the agent.”
The actual number of gamers at risk is unknown. Ormandy referenced a report claiming “500 million monthly active users [MAUs],” however that number refers to the total number of MAUs for Blizzard’s parent company, Activision Blizzard. According to Activision Blizzard’s third quarter 2017 financial results, Blizzard alone reached a record 42 million MAUs for the period, but it’s unclear how many of those users would be affected by the Blizzard security bug (the Blizzard Update Agent is only contained in the PC version of the company’s games and not used in game console versions).
If the DNS rebinding vulnerability itself wasn’t bad enough, there was a lack of communication from Blizzard as well as later miscommunication about how the issue was being addressed. In the Chromium bug report, Ormandy wrote that he notified Blizzard of the issue on Dec. 8, but weeks later the company had cut off contact with him.
Blizzard (partially) addressed the critical DNS rebinding vulnerability with an update to the tool that checks requested against blacklisted applications and executables. But the company didn’t alert Project Zero that it had updated the tool; Ormandy learned about it on his own.
As a result, Ormandy, believing the Blizzard security flaw had been silently patched, publicly disclosed the vulnerability. But Blizzard quickly restored contact with Ormandy to say the previous update wasn’t the final fix for the issue and that it was working on a different patch for the DNS rebinding vulnerability.
“We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue,” a Blizzard representative said on the Chromium post. “We’re in touch with Tavis to avoid miscommunication in the future.”
Blizzard finally issued a new Blizzard Update Agent, version 2.13.8, on Wednesday with the host header whitelist to completely fix the issue.
Uncovering critical bugs in games
I’ve long worried about the relative insecurity of PC games, specifically massively multiplayer online games or MMOs. I had the fortune of covering the video game industry for several years, and it left me with several prevailing beliefs about how inherently broke the modern game development process is. Big budget games are routinely subjected to what’s known in the industry as “crunch,” which are period of substantially longer work hours and increased pressure in an effort meet deadlines and development milestones.
And yet even with these crunch periods (or, as some claim, because of them), PC games routinely launch with bugs. In fact, even blockbuster games with the biggest budgets often ship with bugs, whether it’s a minor but obvious graphical glitch or a major flaw that renders the game unplayable. And these are the bugs that “matter” to the industry’s bottom line. If these sorts of flaws are slipping by, I shudder to think what type of security vulnerabilities are lurking inside these games.
The case of Blizzard’s security flaw is concerning, and not just because of the nature of the DNS rebinding vulnerability. Blizzard is one of the most successful and respected game companies in the industry, not just for the quality of its game development but also for its technical support and service. And yet the company seemingly fumbled its way through the bug disclosure and patching processes in this case. Bugs and vulnerabilities are inevitable, which is why proper handling of the discovery, disclosure and mitigation is, for lack of a better word, critical.
Blizzard’s security flaw should serve as a wake-up call for other MMO makers and the games industry as a whole. Ormandy said he plans to look at other popular PC games in the near future. That’s a good thing; video game companies should welcome the news with open arms.
You never want one of the best known and most prolific bug hunters in infosec knocking on your door. But game companies have to answer the knock before they find themselves, and their customers, getting pwned.