Feeds

Call of Duty 'fragged using OpenSSL's Heartbleed exploit'

So it begins ... or maybe not, says one analyst

Website security in corporate America

Call of Duty: Black Ops II appears to have been compromised using the now infamous Heartbleed exploit, according to security researchers.

The Heartbleed security bug is a simple example of memory leakage through an overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted from the process’s memory. This could yield anything, including encryption keys, bits of traffic, credentials or session keys. The flaw is potentially among the most damaging ever to surface on the web but there's been little evidence that it has been widely exploited so far - leading some security experts to say it's been overblown.

For example, Richard Bejtlich, ‪a‬ security strategist at ‪FireEye‬, drew parallels between Heartbleed and the Y2k bug.

"Widespread vulnerability, scary talk, work to fix code, but ultimately no significant public impact," he said.

However Ken Munro, a senior partner at Pen Test Partners, came across evidence of a real world (though not especially malicious) example of the vulnerability being exploited – in the popular online multiplayer game Call of Duty: Black Ops II. He logged in to shoot some enemies after a busy day of ethical hacking, only to see a series of messages suggesting a compromise had taken place.

"What we can surmise is that the CoD [Call of Duty] developers had connected to the Steam developer portal and either their session ID or, even worse, credentials had been stolen," Munro told El Reg.

"Fortunately whoever did this just decided to make it obvious; but imagine the damage that could have been caused by a malicious user. This is a prime game played (looking at Steam stats) by about 10,000 people a day. We could mess around with achievements, or even push a dodgy patch to cause a compromise of the all the players of the game!"

We've put in requests for comment to CoD developers Sledgehammer Games and publishers at parent firm Activision but are yet to hear back. We'll update this story if and when we find out more.

Chris Boyd, a malware intelligence analyst at anti-virus firm Malwarebytes, and a gaming security expert, agreed that Munro had uncovered circumstantial evidence of a compromise CoD while arguing that this might easily have been pulled off with another exploit. There's nothing to tie the malfeasance or mischief making directly to Heartbleed; no smoking gun.

"It's entirely possible the person responsible for the message didn't use Heartbleed to snag a login - they may have grabbed it by another means entirely, but decided to use the account to post a more general alert to the gaming community and devs at large," Boyd told El Reg. "In fact, this highlights the fact that we may see more compromises which have nothing to do with Heartbleed, but end up trading off the high profile of the threat.  This could lead to yet more confusion on the part of both developers and users of popular web services over the coming weeks."

Boyd agreed with Munro that the intention of the unknown perp was not malign.

"While it's difficult to say exactly what functionality the person responsible for compromising the game in this way had access to, it seems their intention was to warn rather than harm," Boyd said. "Anybody concerned about achievement tampering should know that it's easy enough for someone to do that themselves without an entire game needing to be compromised first. As for the possibility of malicious patches going out, PC updates are traditionally a little easier to get out than (say) the XBox Live network where all updates are put through rigorous testing before being given the green light."

Munro is sticking to his guns in suggesting Heartbleed is the most likely culprit.

"Timing-wise the most likely candidate is Heartbleed," Munro said, adding that Boyd is also right to say that "we only have the hacker’s claim - but that certainly doesn’t preclude it from being the truth." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.