Call of Duty Pwned in Latest Heartbleed Attack

When Ken Munro, security analyst at Pen Test Partners logged on to Call of Duty: Black Ops II yesterday for some good clean fragging fun, one of the last things he expected to find was a bundle of messages from Steam informing him his account had been compromised.

In the latest news off the Heartbleed warfront, it seems that someone has been able to gain access to the servers responsible for hosting the popular online FPS Call of Duty.

Munro spoke about his discovery in a statement to The Register, claiming that although his credentials had been stolen, whoever was behind it made sure to create a very obvious scenario that could be traced by anyone with rudimentary knowledge of Internet security.

“Fortunately whoever did this just decided to make it obvious; but imagine the damage that could have been caused by a malicious user. This is a prime game played (looking at Steam stats) by about 10,000 people a day. We could mess around with achievements, or even push a dodgy patch to cause a compromise of the all the players of the game!”


For now it appears the issue is constrained to the PC version of the game only, missing the majority of players who enjoy the title on PS3 and Xbox Live. Whether the hole came from Steam or the publishers at Sledgehammer Games remains unclear, however there is ample reason to suspect that due to the source of the crack, it may have been the link those two companies share together that finally did them in.

There is still speculation if the problem on Call of Duty’s servers are in fact due to the OpenSSL exploit made public by the now infamous Heartbleed, but the timing and obvious, targeted nature of the credential crack do suggest someone out there found the hole and wanted to get noticed before anyone less scrupulous may have stumbled upon it accidentally.