Project Zero, a team of analysts from Google security, reported a serious security error affecting PC users of all Blizzard games, as it is located in its installer, Battle.net. In this way, it affects users of games such as Overwatch, World of Warcraft, Diablo III, StarCraft, etc.
The bug is found in the update tool of Battle.net. Battle.net is a mandatory installation to access the titles and online services of the company.
The tool creates an RPC server (Remote Procedural Call), a technique for communication between processes on one or more computers connected to a network on our computer that uses port 1120 to manage orders and accept commands to install, uninstall or update the games.
In this link we can see a proof of this attack in question.
The error allows cheating security protocols with what is known as “DNS Rebinding”. That is to say, it manages to make us believe that an unreliable external source is reliable when passing itself off as another. In this way, the code can be injected into the user’s machine.
Project Zero alerted Blizzard in December about this issue and worked on a solution. In theory, the latest Blizzard update for Battle.net should correct this error, but now Project Zero has proven that this is not the case. Blizzard has confirmed that they are working on another solution with which they hope to definitively solve this security problem.
If Project Zero has made known the situation now it is because Blizzard ceased its communications unilaterally and, after checking that the update offered was useless, it has been decided to draw attention to the problem so that it can be solved once and for all.
Project Zero suspects that this vulnerability could exist in more video games or platforms of online services, so they have announced that in the coming weeks they will test hundreds of games to see if they are affected and that the potential security errors found are fixed as soon as possible.
