Call of Duty: Black Ops II appears to have been compromised using the now infamous Heartbleed exploit, according to security researchers.
The Heartbleed security bug is a simple example of memory leakage through an overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted from the process’s memory. This could yield anything, including encryption keys, bits of traffic, credentials or session keys. The flaw is potentially among the most damaging ever to surface on the web but there's been little evidence that it has been widely exploited so far - leading some security experts to say it's been overblown.
For example, Richard Bejtlich, a security strategist at FireEye, drew parallels between Heartbleed and the Y2k bug.
"Widespread vulnerability, scary talk, work to fix code, but ultimately no significant public impact," he said.
However Ken Munro, a senior partner at Pen Test Partners, came across evidence of a real world (though not especially malicious) example of the vulnerability being exploited – in the popular online multiplayer game Call of Duty: Black Ops II. He logged in to shoot some enemies after a busy day of ethical hacking, only to see a series of messages suggesting a compromise had taken place.
"What we can surmise is that the CoD [Call of Duty] developers had connected to the Steam developer portal and either their session ID or, even worse, credentials had been stolen," Munro told El Reg.
"Fortunately whoever did this just decided to make it obvious; but imagine the damage that could have been caused by a malicious user. This is a prime game played (looking at Steam stats) by about 10,000 people a day. We could mess around with achievements, or even push a dodgy patch to cause a compromise of the all the players of the game!"
We've put in requests for comment to CoD developers Sledgehammer Games and publishers at parent firm Activision but are yet to hear back. We'll update this story if and when we find out more.
Chris Boyd, a malware intelligence analyst at anti-virus firm Malwarebytes, and a gaming security expert, agreed that Munro had uncovered circumstantial evidence of a compromise CoD while arguing that this might easily have been pulled off with another exploit. There's nothing to tie the malfeasance or mischief making directly to Heartbleed; no smoking gun.
"It's entirely possible the person responsible for the message didn't use Heartbleed to snag a login - they may have grabbed it by another means entirely, but decided to use the account to post a more general alert to the gaming community and devs at large," Boyd told El Reg. "In fact, this highlights the fact that we may see more compromises which have nothing to do with Heartbleed, but end up trading off the high profile of the threat. This could lead to yet more confusion on the part of both developers and users of popular web services over the coming weeks."
Boyd agreed with Munro that the intention of the unknown perp was not malign.
"While it's difficult to say exactly what functionality the person responsible for compromising the game in this way had access to, it seems their intention was to warn rather than harm," Boyd said. "Anybody concerned about achievement tampering should know that it's easy enough for someone to do that themselves without an entire game needing to be compromised first. As for the possibility of malicious patches going out, PC updates are traditionally a little easier to get out than (say) the XBox Live network where all updates are put through rigorous testing before being given the green light."
Munro is sticking to his guns in suggesting Heartbleed is the most likely culprit.
"Timing-wise the most likely candidate is Heartbleed," Munro said, adding that Boyd is also right to say that "we only have the hacker’s claim - but that certainly doesn’t preclude it from being the truth." ®