Skip to main content
  1. Home
  2. Computing
  3. Gaming
  4. News

Blizzard patches security hole to block hackers from sending fake updates

Add as a preferred source on Google

Blizzard is currently fixing a security hole in its desktop software that could allow any website to install browser-based software libraries, gain access to network-attached storage devices, and more. The company introduced a temporary fix to prevent any immediate exploits, but plans to release a “more comprehensive” fix in the near future. 

Blizzard’s Desktop App includes a component called Blizzard Update Agent that installs, uninstalls, and updates associated Blizzard games such as Diablo III, World of Warcraft, Overwatch, StarCraft II, Hearthstone, and more. This component creates a server that listens for encoded commands sent from Blizzard through a local network port on the PC. This update platform relies on a specific authentication token system to determine that these commands are legitimate.  

Recommended Videos

But Google security researcher Tavis Ormandy revealed that hackers could infiltrate this setup using an attack called “DNS rebinding.” Theoretically, a hacker and/or website could create a domain name, and assign that name to the IP address and port where the Update Agent resides on the target PC. From there, hackers could bypass Blizzard’s authentication system to install malicious software and perform other dirty deeds. 

Ormandy originally disclosed the issue on December 8, and communicated with Blizzard until the company went quiet on December 22. By then, he noted that Blizzard quietly updated the client – v5996 – with a temporary fix he deemed a “bizarre solution,” and that used a three-step verification process. He previously proposed using a whitelist for valid hostnames, but based on Blizzard’s fix, figured the company thought his solution was “too elegant and simple.” 

Finally, on January 23, Blizzard resumed communication with Ormandy. “We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue,” a representative said. 

A DNS rebinding attack typically targets more than one machine on a network. Attackers will register a domain name, assign it to a Domain Name System server under their control, and create a webpage with malicious JavaScript. When victims land on the page, hackers acquire their IP address and tie it to one of their subdomains to execute a Cross-Site Request Forgery attack. Ultimately, hackers gain control of the victim’s router, and can attack other machines on the network. 

In the case of the Blizzard Update Agent, hackers could create a fake update server to deliver goods not associated with Blizzard’s games. The company likely went silent for a few weeks while it replicated the problem, created a temporary fix, and set course for an official update prior to providing additional responses. Meanwhile, Ormandy provides a “simple” demo of the Blizzard DNS rebinding testcase here. 

“Note that this attack can take up to five minutes to work, this would be happening while you read a website in the background and you would see nothing on the screen,” Ormandy explains. 

Outside of Blizzard’s response on Ormandy’s disclosure, the company has yet to make an official public announcement regarding his findings. 

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Apple’s Hide My Email feature has an unfixed bug that leaves email addresses exposed
100% exploitable in limited testing, known since June 2025, and still unfixed as of today.
apple-merging-sign-in-with-apple-hide-my-email-icloud+

Apple has been selling Hide My Email to keep your real email address hidden, but it has a vulnerability that does the exact opposite. The worst part is that the company has known about it for a year. 

Hide My Email, part of Apple’s paid iCloud+ subscription, lets users generate anonymous email addresses for signing up to a website, so that their personal or work email remains free of promotional emails and spam. 

Read more
I hate sharing my Mac, but a face-unlocking app finally cured my privacy paranoia
Someone finally built the app locker every Mac user has been asking for.
FaceGate in action on Mac

If you have ever handed your Mac to a friend, family member, or coworker for "just a minute," you know the mild panic that follows. Sure, your Mac has a lock screen, but once someone is past it, they can open Messages, Photos, Notes, Mail, WhatsApp, and your browser.

iPhones had the same issue, but Apple solved it by adding an app lock feature with the iOS 18 update. Sadly, no such feature exists for macOS. That’s where the new FaceGate app for Mac can help you. It’s a free and open-source app that lets you lock apps on your Mac and even has some novel tricks up its sleeve. So, let’s talk about it, shall we?

Read more
The charm of a tiny Windows tablet is apparently dead at Microsoft. Long live the Surface Go!
Microsoft’s budget Surface era may be over
Microsoft Surface Go 3 stand.

Microsoft might be cleaning up its Surface lineup. According to Windows Central, Microsoft has stopped manufacturing the Surface Go and Surface Laptop Go lines, with no successors currently planned. Surface Go 4 and Surface Laptop Go 3 are reportedly out of stock in most places, and once remaining retail stock is gone, that may be it.

If this is true, then we are looking at the end of the brand's budget Surface PCs as Microsoft has plenty of premium Windows hardware.

Read more