(Engadget)– Fans of Blizzard games might have dodged a bullet. Google security researcher Tavis Ormandy has revealed that virtually all the developer’s titles (including Overwatch and World of Warcraft) were vulnerable to a DNS rebinding flaw that let sites hijack the Blizzard Update Agent for their own purposes.
Intruders had to do little more than create a hostname their site was authorized to communicate with, make that resolve to the target of their choice (such as the victim’s PC) and send requests to the agent. From there, they could install malicious files, use network drives or otherwise create havoc.
Thankfully, the emphasis here is on the past tense. Blizzard’s communication was inconsistent, but it applied a short-term fix in recent days. It also responded to Ormandy’s concerns with with promises of a “more robust” fix that whitelists internet hosts, so only those sites Blizzard explicitly approves will get through. We’ve asked Blizzard for comment and will update if there’s more to add.
There isn’t evidence to suggest that anyone abused the Update Agent hole. Even so, the discovery highlights the challenges for security in games. They frequently have a different set of security concerns than a bank website or browser, and there’s no guarantee that developers will (or can) account for all those differences before they release a product into the wild.