Blizzard Compromises Parental Control Security June 22, 2010Posted by Wilhelm Arcturus in entertainment, World of Warcraft.
Tags: Blizzard Authenticator, Parental Controls, Phishing, WTF Blizzard?
Or such is my view of the recent changes they have made.
For previously, parental controls were a simple thing.
They were an option off of the account management page and thus secure behind the account login, which in the case of our household, includes a Blizzard Authenticator.
Once in to the parental controls page, all sorts of options were available for controlling your child’s play time.
And all of this was kept from the child by a simple password.
My daughter would go log into the page and all I would have to do is make the changes, or review the changes she made (and often correct them to align with what I had agreed to allow), then type in the password and click accept.
The flaw in the system appeared to be the password. I chose a password that was both complex enough to be secure, but one that both my wife and myself would remember. And we keep tight enough rein on my daughter’s WoW account that we end up typing it in a couple of times a week, thus refreshing our memory.
Then came the email from Blizzard.
Dear World of Warcraft Parental Controls user,
This email is your new key to accessing Parental Controls for your children. Any time you want to make changes, simply click the link under the name of the child below:
[Account and URL Withheld]
Your previous World of Warcraft Parental Controls settings for the accounts above have been automatically transferred to Battle.net Parental Controls, so unless you’d like to make changes or explore the new tools, you do not need to take any action at this time. Be sure to hang on to this email for quick access to managing your Parental Controls settings in the future.
Battle.net’s Parental Controls features include:
- NEW! No more Parental Controls password to remember – just use this email as your key.
- NEW! Permit a child to use Real ID, an optional social-networking feature that allows players to interact and communicate using their real names. (Learn more about Real ID: http://us.battle.net/realid/)
- Set daily or weekly limits on the number of hours your child is allowed to play World of Warcraft.
- Create a custom World of Warcraft play schedule, or select from pre-set schedules such as “weekends only.”
- Receive weekly World of Warcraft play-time reports via email.
- Manage access to in-game voice chat for World of Warcraft.
- COMING SOON! The ability to manage future Blizzard Entertainment games such as StarCraft II, as well as additional access to Battle.net’s upcoming social features. We’ll share more info with you about these features as they become available.
For information on or assistance with Battle.net Parental Controls, visit the Parental Controls FAQ (http://us.blizzard.com/support/article.xml?locale=en_US&tag=PCFAQ) or contact our Sales, Billing & Account Services team: https://us.blizzard.com/support/webform.xml?rhtml=y&locale=en_US.
The Battle.net Team
I initially ignored this email thinking that it was yet another phishing attempt. Right, I’m going to click on a URL in an email from “Blizzard Entertainment.”
But then my daughter came to me asking to play for a bit, since the Midsummer Fire Festival was kicking off, and we noticed that the parental controls were missing from their usual location.
I went back, dug the one of two non-phishing attempts from Blizzard Entertainment out of my spam folder, and read the above.
So instead of easy access via account management, controlled by a password, I now have to keep a hella long URL handy if I want to make any changes.
I realize that some people are bad with passwords and that having held a job where I had to have 6 different passwords to do my job daily, each of which had to be changed every 45 to 90 days, might have trained me better than most in the fine art of mental password management (the company had heard of LDAP, but wasn’t really convinced it was time to jump on that bandwagon yet), but still. This was one stinking password with almost no restrictions requiring special characters, numbers, capital letters, punctuation, or Chinese pictograms.
But no, passwords get forgotten and and I am sure that yields calls to Blizzard support, and support calls cost money.
So now I have a much less secure solution to the problem of parental controls. Passwords may be as breakable, or much more breakable than the hella long URL Blizzard sent me, but at least the password entry made you go through the Blizzard Authenticator. I bought into your security paradigm and this is how I get treated Blizzard?
Meanwhile, the URL is in a normal web mail account, the password for which can be phished for as easily as an account password. And even if I copy the URL elsewhere, if you know that email address, you can just go to the parental controls page, type it in, and they’ll send you a fresh URL that will invalidate the old one.
All of this for access to a page that will let you lock people out of their account. How does that scenario sound familiar?
Right, somebody gets the password to that email account, changes it, requests a new parental control URL, turns off all access to the account and there you go.
And you can say, “Well, be more careful with your email account,” but this sort of thing happens to people much wiser in the ways of security than myself.
Then there is the kick in the teeth following the boot in the groin, which is that this new setup is less convenient for our family.
Previously, my wife and I both knew the password, so either of us could manage our daughter’s account.
Now we need that URL.
Sure, I can forward that to her (another security hole, but what the hell at this point!), but there is a catch.
The URL expires.
This was probably the bit that let this whole “bypass the authenticator” scheme get past security review. I’ve already had to renew the URL.
But the URL gets sent to an email account that is mine. If the URL expires when I am not available to manage the parental controls, then the controls won’t get managed. And I could switch it to a new account that we could both share, but that would be one more account and password to remember.
All in the name of not having to remember a password.
And I’m just getting warmed up. This whole thing is a trifecta of annoyances, the security changes just being the first.
Look for a follow up post.
Meanwhile, the net result here is that if you used the Blizzard authenticator, your account is now less secure than before.