All Blizzard games were, until last night, vulnerable to DNS rebinding. World of Warcraft, Overwatch, and Hearthstone, among others, all put players at risk of exploitation, according to a Google researcher.
A DNS rebinding vulnerability is a form of attack in which a malicious web page causes users to run a client-side script affecting other machines on a network. According to Google vulnerability researcher Travis Ormandy, up until yesterday, all Blizzard games were vulnerable to this kind of attack.
All Blizzard games (World of Warcraft, Overwatch, Diablo III, Starcraft II, etc.) were vulnerable to DNS rebinding vulnerability allowing any website to run arbitrary code. https://t.co/ssKyxfkuZo
— Tavis Ormandy (@taviso) January 22, 2018
Ormandy first reported the vulnerability on December 8, 2017. At that point, Blizzard were using a custom authentication scheme to verify users came from a legitimate source, but Ormandy claimed any website could create a DNS name that was authorised to communicate with Blizzard, in theory allowing any website to send privileged commands.
Ormandy sent his findings, which you can view in their entirety here, to Blizzard on December 9, but the company stopped communicating with him after December 22. The vulnerability has now been patched, and according to a Blizzard developer, a further, more secure update “will deploy soon.”