Comments on: WoW: Authenticator users targeted by trojan middleman attack

By: Coli

Coli — Sat, 31 Jul 2010 20:09:38 +0000

Reverse engineering is irrelevant. The algorithm is actually public, but because it uses public key cryptography, you aren’t going to be breaking it. I have written an implementation for Windows at http://code.google.com/p/winauth/.

What is important is keeping the secret key stored in the authenticator safe. This isn’t a problem for the physical device. But for mobile devices, or the Windows one, your private key must be secured.

However all devices are still prone to a man-in-the-middle attack, but it is time-sensitive (you have a 30 second window).

At any rate, having an authenticator is still better than not.

By: Spitt

Spitt — Mon, 08 Mar 2010 07:11:56 +0000

Just read some news where they have a Desktop Authenticator. It was being tested in December, might be live now, or still being beta tested. However the point is that a desktop authenticator would be easier to backwards engineer.

Get the code, enter the code to get on the account. Get the code again, to change the authenticator to your own desktop version. Only need 2-3 codes and can then disable the previous owner’s version and apply your own. Sounds like a workable hack to me.

Brilliant move by the account thieves, hopefully more people read this and read my System Protection post, to get better protected on their system.

By: Spitt

Spitt — Sat, 06 Mar 2010 05:45:02 +0000

There is a talk of a authenticator that needs 3 codes to sync with a generic authenticator. It’s possible that someone took the iphone app and reverse engineered it, to make it work natively or possibly even emulated on something like linux or freebsd. Since this thing sends the wrong code to Blizzard, it’s possible that the people could be trying to grab 3 codes in order to apply it to a cracked authenticator.

By: King_Yoshi

King_Yoshi — Sat, 06 Mar 2010 04:31:59 +0000

They are key-log people, so they find out what key they used, and then just input the code into a program they created which tells them the password they used originally to create the key that the authenticator uses. From there they can input the proper codes as much as they want, when trying to log into the account they stole.

By: King_Yoshi

King_Yoshi — Sat, 06 Mar 2010 04:31:39 +0000

They are keylog poeple, so they find out what key they used, and then just input the code into a program they created which tells them the password they used originally to create the key that the authenticator uses. From there they can input the proper codes as much as they want, when trying to log into the account they stole.

By: Bigsvenyo

Bigsvenyo — Thu, 04 Mar 2010 22:49:59 +0000

This does not mean they’ve been reverse engineered–it’s a keylogging exploit

By: King_Yoshi

King_Yoshi — Thu, 04 Mar 2010 05:30:49 +0000

ROFL! This just made my day.. I have been telling people that the authenticators had already been reverse engineered.. No one believed me..