Yesterday, Google Project Zero researcher Tavis Ormandy warned that all Activision Blizzard games had a security vulnerability that cyber thugs could have remotely exploited to run malicious code on gamers’ PCs.

All Blizzard games (World of Warcraft, Overwatch, Diablo III, Starcraft II, etc.) were vulnerable to DNS rebinding vulnerability allowing any website to run arbitrary code. 🎮 https://t.co/ssKyxfkuZo — Tavis Ormandy (@taviso) January 22, 2018

Back in December, Ormandy responsibly disclosed the vulnerability in the Blizzard Update Agent, which all Blizzard games use for installing game upgrades and patches. According to Ormandy, the agent utility created a JSON RPC server listening on port 1120 and accepted “commands to install, uninstall, change settings, update and other maintenance related options.”

Blizzard had a custom authentication scheme to check if the changes were authorized, yet Ormandy said, “I don’t think this design will work because of an attack called DNS rebinding. Any website can simply create a DNS name that they are authorized to communicate with, and then make it resolve to localhost. To be clear, this means that any website can send privileged commands to the agent.”

He sent a proof-of-concept demo of the exploit working to Blizzard, which reportedly has half of billion active users a month.

Blizzard goes silent

When Blizzard was first alerted to the vulnerability in its Blizzard Update Agent, the company was communicating with Ormandy via email. But on Dec. 22, 2017, Blizzard went silent. It gave Ormandy the cold shoulder and silently rolled out a patch.

They were communicating, and then just stopped 🤷‍♂️. They didn't even notify me they were shipping a patch, I had to bindiff it. — Tavis Ormandy (@taviso) January 22, 2018

Just last week, Blizzard claimed, “We take account security seriously.” Granted, that announcement was geared toward the company handing out free stuff to gamers who added Blizzard SMS Protect and Blizzard Authenticator to their accounts.

Yet it seems like if the company really took security seriously, then it would not have stopped communicating with Ormandy and it would not have silently rolled out a fix that Ormandy thinks is flawed. In fact, Ormandy called Blizzard’s patch a “bizarre solution.”

Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exe name, and then check if it's in a blacklist. I proposed they whitelist hostnames, but apparently that solution was too elegant and simple.

“I'm not pleased that Blizzard pushed this patch without notifying me, or consulted me on this,” he added. “The obvious flaw in this scheme is that the blacklist needs to be complete and maintained, so I expect it will break in (the) future or for users on unusual browsers.”

Faced with the backlash of looking like inept jerks, Blizzard later said on the Chromium Bug Tracker, “We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue. We’re in touch with Tavis to avoid miscommunication in the future.”

Heads-up to other game makers, as Ormandy said he intends to start looking into other games that have “very high install bases (100M+) in the coming weeks.” When he finds a flaw, and this is Ormandy so he surely will, it would be wise not to make the same mistakes as Blizzard did.