PropheT wrote on Jun 25, 2013, 16:38:
m00t wrote on Jun 25, 2013, 12:42:
What I don't know for sure is if the cookie is tied to a specific machine, made non-transferable by some technical method. (overcome if you use a custom login program because you just lie, but prevents it from being copied and used with the normal launcher)
My understanding is that it keeps an encrypted cookie (if that's the right term here I guess) locally stored to the machine, but the system still requires IP range verification in order to region lock the account. Even with the cookie stored locally the account still requires authentication if you move outside of the network range where you originally set the check file, so if you live in NY and someone tries to access your account from Oregon, for example, it doesn't matter if that cookie is there or not; it forces authentication for the account to confirm ownership.
Blizzard still denies that people with authenticators are getting accounts compromised, and just by the way the tool works it's hard to see how they're wrong. The only way I can see it not being secure is if you use the mobile auth on a jailbroken/non-rooted phone.
Basically true, yes. I think there is an unavoidable local flaw if your machine is compromised. They don't have to run the WoW Client, there are almost certainly malware apps that can connect and issue commands as though they were the client and the person on the machine wouldn't even notice.
If windows users practiced (and were not prevented from practicing by the design of windows) good security practices by not browsing on a full privilege account, it'd be a lot harder to have a meaningful client breach.