WOT Express: Huge Security Holes at Wargaming

The material is created for informational purposes.

One of our dons found interesting “bugs” in the WG security system (it is missing!). Instructions and explanation below.

With the introduction of the account unification system, when we were given the opportunity to unify login data, WG, for some reason, forgot to take measures to ensure the security of such.

Here is a list of just the noticed abuses of this “hole,” which is still operating today:

  1. Bypass 2FA (double authentication) protection.

Nothing “wow,” but for example, having only a login-password pair (you can get it in different ways, that’s not the point now) or linking to an account through a third-party service in the WG Personal Account: Facebook, Twitch, YouTube, etc. (not all have it, but the fact of its existence is there), you can bypass the entrance to the Personal Account without a code. What do you need? It is enough to log in using the login-password (or link), which you use in the EU region, on the website of another cluster (Asia or North America). You will then be prompted to link accounts or go to the website of your region. Surprisingly, without a code from the application.

  1. Changing your email, and with it your password, on an account with or without a phone. In the first case, you will simply update your login information, which can be used to log into your account, but you will not be able to change your password or email.

The second option is more interesting because here you can “hijack” the account completely. That is, it is enough to create a dummy according to the guide (it is below), link it to the account, and that’s it. New data, new linked email on the “victim’s” account. There will be no notifications to the main email!

NOTE: accounts with a confirmed region of the Russian Federation/Belarus are out of luck! It is currently impossible to create a dummy account with such a region, but you can only look for another account with a similar region in Asia or America, which is extremely difficult (but theoretically possible).

Guide to changing email without code:

  1. Download a VPN for a browser with a large list of countries (for example: Urban VPN).
  2. Create a new empty mail/take a temporary service for mail. IMPORTANT: If you are registered on the WG website not under the country of the account, you will no longer be able to use this mail. Make a DIFFERENT one!
  3. The account itself where we will change the email.

The first thing you need to do is check the country where your account is registered; the main thing is to have a VPN for that country. Once you have verified the country, go to the website of any other cluster. It is better to register in another browser or in an incognito window, so that there is no conflict of accounts. Asia or NA – it does not matter here.

Let’s start registering an account. When registering, check the dates of birth with the account where the mail will be changed. It is extremely important that they match. (If the date of birth is not specified, you do not need to specify anything). If there is a mismatch, you may receive the following error: “Only accounts with the same birthday can be linked. Contact Player Support to change the birthday or change the credentials of the account with the different birthday to unique. To do this, log out of all accounts except the one whose credentials you plan to change.”

Create an account either to your email or to a temporary one. It will be this login. After you have created it, you MUST confirm the registration because then it will not let you in. You can now close the browser with a dummy or an incognito window. Go to the account where you will change the mail, then you need to go to this link: eu.wargaming.net/id/credentials/update/ There you will need to log in to the account in the region where the dummy was registered (Asia or America). Once authorized, you will have two options to choose from; select the one where “Use this data for authorization” (i.e., based on data from Asia or America). After that, you will be asked to create a new password; you can use the one you used for registration or another one. After that, you can confirm your email and then add your phone number. The account is now yours without verification.

The downside is that you will have a new reg hanging on another cluster; there are no other downsides.

Step-by-step screenshot gallery:

21 thoughts on “WOT Express: Huge Security Holes at Wargaming

  1. What the actual fuck??? You posted instructions of hacking into a world of tanks account on a world of tanks news page? Are you fucking insane? Are you trying to feed the hackers with fresh meat? Why would you ever post something like that?

  2. thx, I hacked a friend’s account just to delete it, he spent around $500 in game, he will be very angry in 45 days lol.

  3. WG Support was notified today and responded. Let’s see if they actually do anything about this.

  4. so it applies only to those that account share basically because you still need to know password and email of the acc to begin with..

    and those who share their acc’s are only between friends and family so you’d know who is responsible for you not being able to log in anymore 🙂

  5. This kind of shit does not belong to a blog/forum or whatever. This had to be given secretly and silently as info to WG, so they can fix their system ASAP. Not to some “funny” folks on the Interent that will have “fun” now hijacking accounts left, right and center. Damn, I sense the incoming shitstorm.

  6. I love how people still think that someone actually writes the articles on this site. It’s literally just a bot that checks the wotexpress telegram, wotexpress website and wot eu. And then reposts whatever is announced (translated to English if needed).

    And why are you so worried anyways? Did you only read the headline and not the whole article according to which you need the username, email and birthday of the account? You would have to be a complete idiot to just post those online for everyone to see.

      1. Russia WoT Express and lesta panders commenters is typical but pretty sure Wargaming knew about and fixed already….few days ago during emergency maintenance

          1. Yea is written by lesta-russia player

            The commentors who pandering to lesta is falling for thier clowning

  7. Please delete this post, this type of information does not benefit the game or the players in any way. You can send it to Wg directly so that he can take the appropriate measures.

  8. Why he should do so? Nobody knows for how long WG knows about it already. So people decided to make it public and share the information. Its a common way. Same happend to big software publishers.

  9. WG was already notified and responded with a bullsht response as expected. Nothing will be done for sure. Basically dont share your fkn account.

  10. I would recommend investing in my crypto currency website. You can earn 3x profit. You can simply register for free and deposit some money and watch it grow online!
    It’s so simple and everyone’s doing it.
    Don’t miss out and register today!

    Message me in game 👍🏻

  11. These f#ckers closed the hole, now you can only choose an oldest profile as a main one. So I only managed to steal and change email on less than 150 hacked accounts

Leave a Reply