Player Test Realm - Security Concerns

Security Concerns

When players create World of Warcraft accounts, they are asked to choose a username and password. Afterward, whenever they play World of Warcraft, they are asked to supply the same username and password in full. This is also the case when using account management facilities online. This type of authentication is vulnerable to keystroke logging. While this is not unique to World of Warcraft and is common to many MMORPGs, the game has been directly targeted with trojans being specifically crafted to capture account login details. Attacks have been reported as early as May 2006, and may extend as far back as July 30, 2005. The game does, however, allow players to save their account name to the program to allow the player to only have to type their password.

In September 2006, reports emerged of spoof World of Warcraft game advice websites that contained malware. Vulnerable computers would be infected through their web browsers, downloading a program that would then relay back account information. Blizzard's account support teams experienced high demand during this episode, stating that many users had been affected. Claims were also made that telephone support was closed for isolated periods due to the volume of calls and resulting queues. In April 2007, attacks evolved to take advantage of further exploits involving animated cursors, with multiple websites being used. Security researcher group Symantec released a report stating that a compromised World of Warcraft account was worth US$10 on the black market, compared to US$6 to US$12 for a compromised computer (correct as of March 2007). In February 2008, phishing emails were distributed requesting that users validate their account information using a fake version of the World of Warcraft account management pages. In June 2008, Blizzard announced the Blizzard Authenticator, available as a hardware security token or mobile application that provides two factor security. The token generates a one-time password based code that the player supplies when logging on. The password, used in addition to the user's own password, is only valid for a couple of minutes, thus providing extra security against keylogging malware.

Blizzard makes use of a system known as Warden on the Windows version of the game to detect third-party programs, such as botting software, allowing World of Warcraft to be played unattended. There has been some controversy as to the legality of Warden. Warden uses techniques similar to anti-virus software to analyze other running software on the players' PCs, as well as the file system. However, unlike most anti-virus software, it sends a portion of this information back to Blizzard, which caused privacy advocates to accuse it of being spyware. One example of the information Warden collects is the title of every window open on the system while WoW is running. Blizzard has not stated what information is passed by Warden over the Internet, or if that information is encrypted, so it is entirely possible that this information is passed over the Internet back to Blizzard. On the other hand, many gamers responded positively to the development, stating that they supported the technology if it resulted in fewer cases of cheating. Blizzard's use of Warden was stated in the Terms of Agreement (TOA).

The Warden's existence was acknowledged in March 2008, during the opening legal proceedings against MDY Industries. The lawsuit was filed in federal court in Arizona, and also listed Michael Donnelly as a defendant. Donnelly was included in the suit as the creator of MMO Glider, software that can automatically play many tasks in the game. Blizzard claimed the software is an infringement of its copyright and software license agreement, stating that "Glider use severely harms the WoW gaming experience for other players by altering the balance of play, disrupting the social and immersive aspects of the game, and undermining the in-game economy." Donnelly claims to have sold 100,000 copies of the $25 software.