[LinK] WoW-Europe Forums discussion
[LinK] Versione italiana

Video, or it never happened.

Yes, I came to the conclusion I can’t keep my mouth shut any longer. Blizzard is probably still busy with the expansion, and I bet my socks they won’t spend any time fixing a security flaw nobody knows about. Which leaves me to options: wash my hand or inform the crowd and tell them how to prevent such a tragedy (been there, done that).

First off, let’s start with the e-Mail I’ve sent to the Blizzard.

Reference: http://forums.wow-europe.com/thread.html?topicId=6365388840&sid=1

So, basically I don’t know how you could ever mess up a thing like this, but ok, let’s explain.

Once you fire up the Blizzard Authenticator, you paste it in the login screen and that’s it, the number is saved and it can’t be used anymore. Also, if not used within a certain time will eventually expire. And we all know this. The problem is, how did you implement this?

Once you use the code, it gets saved to the account. And that’s what screws up the security. As long as you have a single Authenticator for a single account, you’re safe, but when you start to use a single Authenticator (as you all suggested aswell) for multiple accounts, you are screwed. Example:

Account 1, generated code 123321, I log in and write the code down.
10 minutes later, Account 2, another generated code 321123, I log in.
20 minutes later, Account 3, 123321 or 321123 doesnt matter, I log in.
Or Account 1 with 321123, or Account 2 with 123321 for the matter. It doesn’t matter, they all work.

This is where your problem relies. You didn’t do the right thing. You didn’t have to save the generated codes by account, but by Key ID instead. If you don’t all the valid keys generated (and logged) for an account, may be used on the other account to. Authenticator beated by a keylogger, that’s the most ironic thing ever.

Here’s the deal: when a user logs in check the Authenticator ID saved with his account, and then in a new table save the code by AuthID, and not in the account data. This will probably increase collisions, but better having collisions than hacked accounts, don’t you think?

Looking for an early reply.

Sincerely yours,
Skizo

Now, you’re also thinking “so, you got an answer right?”. Excerpt from the automatic response:

Due to the volume of email received by the Hacks & Anti-Piracy team it is not always possible for us to respond to each report individually and this may be the only email you receive from us regarding this matter.

As you can see my only option was either to wait an e-Mail that would never arrive in the frightening that by the time it’s fixed it’s already too late, or spread the informations. With a journalist blood in my veins, I couldn’t do any less than this, I’ve already waited too long.

So, in short, what has all this have to do with me? On to explain.

The basics of Blizzard Authenticator

Blizzard Authenticator, just like any other key-generator of its kind, works like this: generate a code, using the code, making impossible to use the same code once again. This prevents hacks due to keyloggers, because even if the hackers have your username & password, they can’t pass the final test, which is a one time generated key. The BA does just the same. The problem relies in the way it’s been realized.

If you have a single account and a single BA, you are safe. Sleep tight. If you use multiple accounts like me, you’re not allowed to sleep tight. Where did the security break? If you didn’t understand by the mail above I’ll explain in short terms:

  • You have two accounts
  • You generate code 123456 to log with Account1
  • The code 123456 gets saved for Account1
  • Since Account1 and Account2 share the same BA but the code 123456 has not been saved for Account2, then you can use 123456 for your other account too, breaking thus the security of a one-time generated key.

This means that if the hackers become fast enough, while you log in on your main account, they could send through the net the generated key, and use it with your other account to do what they should. Sure, it requires some timing and some good skill, but I don’t think that’s a reason to be relaxed.

There are some workaround for this though. The first would be to make Blizzard fix their tables (as in data storage system, not furnitures). It should work like this:

  • You have two accounts
  • You generate code 123456 to log with Account1
  • Account1 uses BA1
  • Code 123456 gets saved for BA1
  • Account2 uses BA1 too, so the code 123456 can’t be used again to log with another account, just as much code 654321 used to log with Account2 can’t be used to log with Account1.
  • Happy face here :)

Since this it’s unlikely to happen in a near future (you now, multinational corporations…) I came up with a couple suggestions that I use and may fix your problems most of the time (there are a few exceptions I’m aware of myself, so I know these are just temporary fixes).

  • If you have multiple accounts and you have multiple Authenticators (just like me), I suggest you to unbind the single one you use from all the accounts and just leave it to one.
  • If you’re unwilling to do so (just like me) you can use a little twist with the login. Say, you want to login with Account1. Generate a code, log with Account2, log out, log back in with Account1 and the same code. You’re safe.
  • Bother Blizzard until they fix this (hey, I’m jk). (No, maybe not).
  • Pray to God if you do believe in him.

There’s not much more to do. I personally use the second method described above.

The only thing I ask you at this point is to share the word. The only way to be safe in this world is to know what surrounds us. If you know where the problem relies, you know how to fix it. At the same time, if people get to know where’s the vulnerability they get to know how to get themselves safe.

In the hope it’s not already too late.