Skip to Content
2-28-2010 @ 1:17PM
The solution to this is relatively simple, and one that has been used by organizations that use RSA key tokens (basically the same as an Authenticator) to prevent man in the middle attacks:Encrypt the login session.Blizzard would need to change the client so that initial setup of the communication channel occurred by having the client connect to the login servers in order to get the username/password screen, but in doing so it would prevent this type of attack - because as soon as you hit enter, the data is encrypted and sent to Blizzard. If the article is correct on how this particular attack works, they are using hooks into the login screen of the WoW client in order to capture the data. If those hooks no longer exists, because that screen is no longer part of the client, then this should prevent the attack. This would require that Blizzard implement some decent encryption - SSL is a start, but there are other solutions.
2-28-2010 @ 2:07PM
Encrypting the login session doesn't not protect against man-in-the-middle attacks. Sorry.Yes, it is still better than plain text data, without a doubt. But thinking this would solve the problem is just plain wrong.Actually, there is more than one way to compromise that kind of connection. Session Hijacking is another method that might prove to be a valid attack.In a nutshell, once the user's computer gets compromised, there is nothing Blizzard can do to assure the WoW account won't be also.
2-28-2010 @ 7:35PM
The cracker just need to use a common keylogger to get the code, so this would offer almost no extra protection in this specific case.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.