Tobold's Blog
Monday, March 01, 2010
World of Warcraft Authenticator hacked

Several readers in the open Sunday thread alerted me to a report that the WoW authenticator has been hacked, including confirmation by Blizzard. The virus intercepts your authenticator code, sends a wrong one onwards (causing you to get an error message), and sends the right one to the hackers, who then have to use it immediately to get into your account.

Well, no account security measure is ever perfect, and your account is still a lot safer with an authenticator than without one. But if you are worried, you should search your computer for the virus file called "emcor.dll".
This is certainly bad, but still easier to deal with than if there was no authenticator at all. Logging in from a different computer would kick them off (unless I'm remembering wrong) and they'd be unable to get the new code without having that computer infected too. That would secure the account again, assuming you don't reuse the infected machine before cleaning.

What worries me most is the potential difficulty of the user detecting it. If our password is wrong, we freak out and think it was changed or we forgot it and we try to do something. If the authenticator code didn't work, I don't know that people would expect a hacker, delaying action.

As I understand it, the hack gives its master about 30s to log onto your account and change it before the stolen authenticator number expires. You'd have to be very quick to log on to another machine and intercept that in the time available. On the plus side, the bad guys have to be pretty quick too.
So does would this thing work with the Iphone authenticator? Or only with the USB one?

Sounds like it's only for the USB one. Hopefully Blizzard makes an authenticator for other smart phones as well.

It would suck for Apple to have the only safe authenticator.
To be strictly accurate, the virus doesn't hack your Authenticator, it merely has a way to bypass the fact that you have one.

Even if you didn't have an Authenticator, you'd be hacked, and chances are it'd be a lot more successful than in that >1 minute window the hackers would have with an Authenticator.
So does would this thing work with the Iphone authenticator? Or only with the USB one?

The hack is at the level of your PC. Thus what tool you used to generate the code doesn't matter. It'll intercept an iPhone code as well as the keychain one. Note that there is no USB involved.
.dll ?


On a Mac, have an authenticator. Don't think i'll worry one processor cycle over this one.
It's less so much 'hacked' as keylogging has a probably less than two minute window where it still works, which needs a specialised keylogger to actually send data real time. As ever, installing things from the internet is a bad idea.

I don't have an authenticator as I don't download random executables and noscript pages to the hilt. It probably helps I tend to run WoW in wine in linux, where stray exes become really obvious.
Sounds like a classic man in the middle scenario (for more juicy details, see
Pretty amusing that I just ordered one, and someone found a way to bypass it!
Hacked seems to be a big word. They intercept your code at which point they have minutes to log in to your account. The authenticator isn't hacked, your pc is.

Nothing to see here.
I would say your title is misleading. Hacking the authenticator would imply to me that you know what the key is going to be at any time the authenticator's button is pressed.

This is a hack of accounts with authenticators.
@Pangoria Fallstar: i heard that authenticators for Macs cost 5 times more and have 50% less functionality. But they're shiny and look real good in the dark.
As has already been mentioned this is not a authenticator hack. If the baddies are able to get a trojan/keylogger onto your computer, you are in all kinds of trouble, where getting your WoW account hacked is probably the least of your worries.
Well, the authenticator itself, in its keychain version, is just a display with a button. There is no other functionality than showing a number on the display when you press the button, and there is no connection to a computer whatsoever, neither by cable nor wireless. So, of course, the authenticator itself can't be hacked. The authenticator-protected access to your WoW account can be hacked, but who would use a cumbersome phrase like that?
As I understand it, the hack gives its master about 30s to log onto your account and change it before the stolen authenticator number expires.

If they are smart enough to create that .dll, they should be smart enough to fully automatically receive the details, log onto the account and change it as well unless there is a good captcha somewhere in the process.
This comment has been removed by the author.
This comment has been removed by a blog administrator.
The iphone version just displays a number, which automatically updates (I guess) every 30 seconds. No buttons to press, but it costs £100. You get the iphone included for free ;)
just fyi a guildmate on a mac with an authenticator also got hacked. He was using the iphone authenticator.

I seems like your account can now be hacked even if your computer is not compromised.
From most of these comments, I can see that many of you have no idea how the authenticator functions. Each authenticator has a set 'chunk' of passwords that are linked to your account. Every time you press the button, it displays one of these passwords. After that, it is never displayed again (cannot be used twice). If someone is able to capture one or more of these passwords, they don't have to use it in the next 30 seconds. They can use it tomorrow, or next week if they felt like it. That said, this is how it goes: You open wow, whip out your FOB, punch in your hex password - oops - error message (that password intercepted and sent to chinese farmer) You don't think twice, hit your button again and punch in new password. Bing, you log in. That first one you entered is still valid because it was never actually used. Mr. Farmer can use that password at his leisure. If you think your password has been intercepted, keep trying to log in with that same password so you can burn it before someone else can, or remove the authenticator from your account and use a static password until you can buy a new one. It's a hassle, but less so than having your stuff stolen.

According to the link above, and my understanding, you can't use the authenticator code that has been unused anytime you want, after all, why is an authenticator then needed at all? Why not keep the number static until it is then used?

Your authenticator matches or syncs with the one Blizzard has on their end, if you try to enter in an authenticate code from an hour ago it does not sync with the current one.

You only have about a minute or two to use a code on your device that is in sync with the one that is on the Blizzard servers.
To clarify, your post about using the code later or the next day is incorrect. The number is an algorithim that changes every 30 or 60 seconds. Blizzard servers know your algorithim by the serial number and 'expect' a certian number from your during a period of time. If you do not enter that code within a certian amount of time (whatever threshold they set for a delay) then it is the same as a bad password. It is a single use token code and must be used within a minute or so of the login. It is basically like a RSA token that WOW bought and had them put a front cover on. You can look at RSA's website and see more about how these work. They are much more secure than a simple or even complex password.
Post a Comment

Links to this post:

Create a Link

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool