Security Key Design Flaw in new launcher allows for brute force password attack

[Jestrel]

Hey Guys,

 

Not sure if this has been reported but ever since the launcher update, just prior to 4.0, it's been possible to use the game client to brute force passwords for anyone who's accounts have a security key attached. Since the game client will immediately fail on an failed password attempt, but will prompt for security key code on a successful password attempt - an attacker can infer from the client behaviour whether a guessed password in correct or incorrect.

 

On the web login behaves in a similar fashion, however a number of successive failures will trigger the captcha step - mitigating against automated brute force attempts.

 

Obviously, this wouldn't allow the attacker full access to the account due to the second factor - it could however allow a user's other accounts to be comprised since many users share passwords across sites/services.

 

While I appreciate that the change in the new launcher may be seen a QoL feature, it seems to be a step back from a security perspective.