Latest: Digital For Tech News Click Here


Thursday 1 May 2014

Call of Duty is not secure from Heartbleed

0 comments
place Google AdSense code here

Heartbleed took Call of Duty: Black Ops II‘s blood out too, according to security researchers.
The Heartbleed security bug is a simple example of memory leakage through overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted from the process’s memory. This could yield anything, including encryption keys, bits of traffic, credentials or session keys. The flaw is potentially among the most damaging ever to surface on the web but there's been little evidence that it has been widely exploited so far - leading some security experts to say it's been overblown.

However Ken Munro, a senior partner at Pen Test Partners, came across evidence of a real world) example of the vulnerability being exploited – in the popular online multiplayer game Call of Duty: Black Ops II. He logged in to shoot some enemies after a busy day of ethical hacking, only to see a series of messages suggesting a compromise had taken place.

"What we can surmise is that the CoD developers had connected to the Steam developer portal and either their session ID or, even worse, credentials had been stolen," Munro told El Reg.
"Fortunately whoever did this just decided to make it obvious; but imagine the damage that could have been caused by a malicious user. This is a prime game played (looking at Steam stats) by about 10,000 people a day. We could mess around with achievements, or even push a dodgy patch to cause a compromise of the all the players of the game!"

Chris Boyd, a malware intelligence analyst at anti-virus firm Malwarebytes, and a gaming security expert, agreed that Munro had uncovered circumstantial evidence of a compromise CoD while arguing that this might easily have been pulled off with another exploit.

"It's entirely possible the person responsible for the message didn't use Heartbleed to snag a login - they may have grabbed it by another means entirely, but decided to use the account to post a more general alert to the gaming community and devs at large," Boyd told El Reg. "In fact, this highlights the fact that we may see more compromises which have nothing to do with Heartbleed, but end up trading off the high profile of the threat.  This could lead to yet more confusion on the part of both developers and users of popular web services over the coming weeks."

Boyd agreed with Munro that the intention of the unknown perp was not malign.

"While it's difficult to say exactly what functionality the person responsible for compromising the game in this way had access to, it seems their intention was to warn rather than harm," Boyd said. "Anybody concerned about achievement tampering should know that it's easy enough for someone to do that themselves without an entire game needing to be compromised first. As for the possibility of malicious patches going out, PC updates are traditionally a little easier to get out than (say) the XBox Live network where all updates are put through rigorous testing before being given the green light."

Munro is sticking to his guns in suggesting Heartbleed is the most likely culprit.

"Timing-wise the most likely candidate is Heartbleed," Munro said, adding that Boyd is also right to say that "we only have the hacker’s claim - but that certainly doesn’t preclude it from being the truth."

Yet it is not sure whether it really is the HeartBleed or something else which has compromised Call of Duty: Black Ops II.

0 comments: Post Yours! Read Comment Policy ▼
PLEASE NOTE:
We have Zero Tolerance to Spam. Chessy Comments and Comments with Links will be deleted immediately upon our review.

Post a Comment

 
Copyright © 2013 MyBloggerBlog Template All Right Reserved
Designed by MyBloggerBlog | Powered by Blogger