Uninformed: Informative Information for the Uninformed

Vol 2» 2005.Sept

Obtaining passwords

Eventually, Blizzard implemented a password recovery mechanism whereby one could associate an e-mail address with an account, and request a password change through the Battle.net protocol for an account at logon time. This would result in an e-mail being dispatched to the registered address. If the user then replied to the mail as instructed, they would be automatically mailed back with a new account password. Unfortunately, as originally implemented, this system did not properly perform validation on the confirmation mail that the user was required to send. In particular, if a malicious user created an account ``victim'' on one Battle.net network, such as the Asian network, and then requested a password reset for that account, they could alter the return email slightly and actually reset the password for the account ``victim'' on a different Battle.net network, such as the USEast network. This exploit was actually publicly disclosed and saw over a day of heavy abuse before Blizzard managed to patch it.