Jump to content
  • Advertisement
Sign in to follow this  
Antheus

One-time pad hack

This topic is 3151 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Interesting. I was under the impression that authenticator is one time pad, which should make it safe from MitM and similar attacks. Not true OTP attack, but still effective enough.
Quote:
* The next time you log in World of Warcraft, the game asks for your Authenticator code. * The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error. * The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.

Share this post


Link to post
Share on other sites
Advertisement
There is no such thing as a secure remote connection, although you can get close as long as you can ensure physical security. This attack falls squarely in "if your computer is compromised, you're screwed" category.

If your local machine is compromised, it's game over -- the virus could just as well watch for you to log on, and then send a "give all my stuff away" command in the background.

Share this post


Link to post
Share on other sites
This sort of authentication is a one-time-password, which is a very different thing than a one-time-pad (being used for authentication, rather than encryption). I've never used the WOW authenticator -- does it not use challenge-response?

Share this post


Link to post
Share on other sites
Note that even with challenge/response, and a random new challenge each time, the attack can work -- all it has to do is to show "failure" to the user, but forward "success" to the server, and keep the attacker look-aside site in the loop.

If the client computer is compromised, it doesn't matter what you do, because the client is entirely in the hands of the attacker after the user has properly authenticated.

Share this post


Link to post
Share on other sites
It's the TLA hell, I was under impression that OTP was Pad, not Password, and that it was completely independent, more similar to how some banks work.

Quote:
Note that even with challenge/response, and a random new challenge each time, the attack can work -- all it has to do is to show "failure" to the user, but forward "success" to the server, and keep the attacker look-aside site in the loop.


I was thinking of not allowing same authentication to be used from more than one IP, but obviously trojan can use the legit user's IP, and just emulate the client from same machine.

The ultimate evil would be trojan that acts as proxy, and lets user login, feeding the client valid data, just making it seem as if server is a bit empty, or laggy, while the trojan itself talks to real server and does its stuff.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!