Tavis Ormandy (Google security researcher) has discovered a critical vulnerability in Blizzard games that could enable remote attackers to run malicious code on gamers’ machines.
This flaw puts millions of PCs at risk by exposing them to DNS Rebinding attacks. Every month, about half a billion users play common online games produced by Blizzard Entertainment, such as World of Warcraft, Diablo III, Hearthstone, Overwatch and Starcraft II.
To play the Blizzard games, users just need to download and install a customer app, called “Blizzard Update Agent”, the app runs JSON-RPC server listening on localhost port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.”
According to the researcher:
All blizzard games are installed alongside a shared tool called “Blizzard Update Agent”, investor.activision.com claims they have “500 million monthly active users”, who presumably all have this utility installed.
The researcher said that the app is exposed to ‘DNS Rebinding’ attack that enables any website to generate a DNS name that they are authorized to communicate with, and then make it resolve to localhost.
A hacker can use the DNS Rebinding attack to generate a DNS entry to connect any hacker-controlled web page with 127.0.0.1 and fool players into visiting the web page, a hacker can use this method to remotely send privileged commands to the Blizzard Update Agent using JavaScript code.
After the researcher’s report went public, the company contacted him and said “Blizzard here. We have a more robust Host header whitelist fix in QA now and will deploy soon.”