Diablo® III

Server vulnerability: I have a serious lead

I have been following the hundreds/thousands of reports of compromised accounts over the last few days and I think I found a pattern.

It's not fool proof because I have not checked every single post of every single thread (impossible to keep track of as 1 person).

I did however go through about 1,200 assorted posts across about 8 threads and my pattern still holds true.

Here is the pattern I have found:

In most threads the people who are reporting being compromised have a D3 or SC2 avatar. If you click the little arrow next to their name it shows your FULL btag.

For example mine is fremd#846, however when I edit my post it shows viscrom#1983. That is because my true btag is viscrom#1983.

Another pattern I noticed is a ton of WoW guys saying we're all stupid and got fished. WoW avatars do NOT show the full btag.

Having access to a btag is the GATEWAY to someone's account if there is a vulnerability. That is your unique identifier. With just your btag it would be possible to obtain all of your information if a server vulnerability existed.

So my current theory is that:

1. If you post on the forums and your full btag is posted, you are at risk.
2. If you join a public game and people can see your btag, you are at risk.
3. If you bought or sold anything on the AH, you are at risk (not because of the AH, but because there might a vulnerability that exists that allows people to get your btag).
4. If you friended anyone, you are at risk (they will get your btag).

For the sake of making the game safe, please include if you're posting on a secondary account on the forums (100% separate bnet account) while still having a safe D3 account while still showing a SC2 or D3 avatar.

Even if this is wrong, it's one less thing to worry about. I will say this though, none of my friends have been compromised and the only difference between them and I are I post on the forums and they do not. Half of my friends don't even pay attention to computer security and are generally clueless while I am the exact opposite.

It would be super trivial to make a crawler that just scoops full btags from Blizzard's forums. They could have tens of thousands of btags in a list. Your name might be next.
Edited by viscrom#1983 on 5/21/2012 11:26 AM PDT
Reply Quote
Well congratulations on wasting alot of time.

Edit: To add detail, Your Theory is bad, and you should feel bad...

It shows a lack of understanding about client server architecture, as well as security, as someone else pointed out if someone had the ability to get direct access to blizzards servers and databases, they would not go after your gear, they'd go after the credit-card info etc.

Someone you know, or some computer you used, or some website you loginto, or yourself in denial, got phished, Keylogged, hacked, or just had a !@#$ty password that got bruteforced.

I've played Diablo 2, WoW, SC2, and now DIII, posted on forums regularly, and never had an incident of hacking, I don't have an authenticator (nothing wrong with them they do add security btw). I just am not an idiot. I use different password's for 3'rd party forums/sketchy websites/etc than I do for stuff that matters, And I have a complex password.

The folks who got hacked either are oblivious to their security, perhaps all go on a 3rd party website that harvested their email's passwords and used them all to steal diablo stuff. etc etc.

That being said, I wouldn't rule out server error/bug (hence the reports of 'blizz claims i wasn't hacked.. but my stuff is gone'). And no blizzard wouldn't necessarily announce anything..
Edited by Kanim#1648 on 5/21/2012 12:55 PM PDT
Reply Quote
Wow that really interesting man. Thanks for the info
Reply Quote
Or you have a vulnerability on your system, or you got phished. Since those are far more likely to be the case, and people who have that happen will never admit it, and I've been posting with my Battle Tag since beta started and haven't had any problems, I'm going with the "You guys have bad personal security" over the idea that the D3 severs got hacked but only a small hand full of people have been impacted.
Reply Quote
Sometimes the most obvious answer is the correct one. People are getting keylogged, phished, social engineering, etc. Blizzard didn't get hacked. If they did, the kind of people who have that ability and resources to pull it off aren't going to care about your in-game diablo items. They're going to be after credit card data and intellectual property. Period.
Reply Quote
I did not post on these forums or really any forums, showing my battle tag until today (After getting hacked).

Also, I seem to have been hacked by the same Luckerz guys (or whatever his name is), as other people on this forum, so whatever is happening, its all connected somehow.


My previous theory was the AH was compromised and that a tool may have been created to allow someone to obtain and hijack your account just by buying or selling an item.

Have you used the AH?

Because the AH sits on top of bnet. Just using the AH could potentially give them your btag through a vulnerability.
Reply Quote
Would be nice to get some info from Bliz on this
Reply Quote
I did not post on these forums or really any forums, showing my battle tag until today (After getting hacked).

Also, I seem to have been hacked by the same Luckerz guys (or whatever his name is), as other people on this forum, so whatever is happening, its all connected somehow.


My previous theory was the AH was compromised and that a tool may have been created to allow someone to obtain and hijack your account just by buying or selling an item.

Have you used the AH?

Because the AH sits on top of bnet. Just using the AH could potentially give them your btag through a vulnerability.


That still doesn't explain how they are getting the passwords, which are in an encrypted database, on a well protected server, etc and so on.
Reply Quote
They do not need passwords to access your account. This was already covered.
Reply Quote
05/21/2012 11:24 AMPosted by Muppetz3
Would be nice to get some info from Bliz on this
They don't really have any info to give. People are getting hacked, keylogged, social engineered, etc on their end. Blizzard can't hire people to stand over watch of your personal computer.
Reply Quote
05/21/2012 11:26 AMPosted by fremd
They do not need passwords to access your account. This was already covered.
Except they do. The only ones who don't need to type in your password to access your account are GM's who have a special software tool available only within the confines of blizzard's protected environment.

No matter if someone has your tag, they still need to obtain your password, which requires a slip-up on the end of the user in some way, shape, or form.
Edited by moojerk#1213 on 5/21/2012 11:29 AM PDT
Reply Quote
05/21/2012 11:27 AMPosted by moojerk
They do not need passwords to access your account. This was already covered.
Except they do. The only ones who don't need to type in your password to access your account are GM's who have a special software tool available only within the confines of blizzard's protected environment.


Except your wrong because after you login the game server is going to assume you're telling the truth because you're already authenticated.

All I have to do is trick the server into thinking that I'm you and I'm in. I wouldn't even need to touch the login server. Why do you think SO MANY reports from blizz reps are saying people's accounts are NOT compromised. Because their logs are only showing that no one logged in. These people are accessing your account WITHOUT logging in.

Stuff like this happens all the time in the wild.
Reply Quote
90 Pandaren Rogue
17470
My previous theory was the AH was compromised and that a tool may have been created to allow someone to obtain and hijack your account just by buying or selling an item.

Have you used the AH?

Because the AH sits on top of bnet. Just using the AH could potentially give them your btag through a vulnerability.


Just out of curiosity, how many times have you used your battletag to log into anything? Or even seen any instance of Blizzard asking for your password at the same time as your battletag?

That's right. You haven't. Your battletag, while a unique identifier in-game, has no connection to anything involving account access.

As for your comment about how the "AH sits on top of bnet". That makes no sense whatsoever. The AH is contained within the D3 servers. It doesn't ambiguously float apart from anything else, it is part of the game.

If battlenet had been hacked, then Blizzard would have announced it by now. Why? Because they have an obligation to their customers to alert them that their information has potentially been compromised. Sony, Steam, and all the other gaming companies out there that were hacked announced it right away.

Blizzard has always taken security seriously. Those little autenticators aren't a cash grab, they're a legitimate method of account security. And if you have a mobile device, or a home phone, you can get one for free.

If your account has been compromised, then YOU did something (even unknowingly), and it's your responsibility to fix it.
Reply Quote
My previous theory was the AH was compromised and that a tool may have been created to allow someone to obtain and hijack your account just by buying or selling an item.

Have you used the AH?

Because the AH sits on top of bnet. Just using the AH could potentially give them your btag through a vulnerability.


Just out of curiosity, how many times have you used your battletag to log into anything? Or even seen any instance of Blizzard asking for your password at the same time as your battletag?

That's right. You haven't. Your battletag, while a unique identifier in-game, has no connection to anything involving account access.

As for your comment about how the "AH sits on top of bnet". That makes no sense whatsoever. The AH is contained within the D3 servers. It doesn't ambiguously float apart from anything else, it is part of the game.

If battlenet had been hacked, then Blizzard would have announced it by now. Why? Because they have an obligation to their customers to alert them that their information has potentially been compromised. Sony, Steam, and all the other gaming companies out there that were hacked announced it right away.

Blizzard has always taken security seriously. Those little autenticators aren't a cash grab, they're a legitimate method of account security. And if you have a mobile device, or a home phone, you can get one for free.

If your account has been compromised, then YOU did something (even unknowingly), and it's your responsibility to fix it.


Sony took a week to admit it.

Trion didn't admit anything until someone shoved it in their face.
Edited by TelMeDragon#1146 on 5/21/2012 11:40 AM PDT
Reply Quote
My previous theory was the AH was compromised and that a tool may have been created to allow someone to obtain and hijack your account just by buying or selling an item.

Have you used the AH?

Because the AH sits on top of bnet. Just using the AH could potentially give them your btag through a vulnerability.


Just out of curiosity, how many times have you used your battletag to log into anything? Or even seen any instance of Blizzard asking for your password at the same time as your battletag?

That's right. You haven't. Your battletag, while a unique identifier in-game, has no connection to anything involving account access.

As for your comment about how the "AH sits on top of bnet". That makes no sense whatsoever. The AH is contained within the D3 servers. It doesn't ambiguously float apart from anything else, it is part of the game.

If battlenet had been hacked, then Blizzard would have announced it by now. Why? Because they have an obligation to their customers to alert them that their information has potentially been compromised. Sony, Steam, and all the other gaming companies out there that were hacked announced it right away.

Blizzard has always taken security seriously. Those little autenticators aren't a cash grab, they're a legitimate method of account security. And if you have a mobile device, or a home phone, you can get one for free.

If your account has been compromised, then YOU did something (even unknowingly), and it's your responsibility to fix it.


You're a WoW player, your tag is hidden.

Doesn't wow have a remote AH that lets you use the AH without being in wow? Do you understand how this works? The AH is not implemented inside of wow.

The AH is designed to be a service that can be implemented by multiple clients. Your mobile app is a client. The wow application is a client. Both of these are different however they access the same service (the AH).

To authenticate yourself to the AH properly requires that you login to bnet, hence the AH is a layer on top of bnet. It depends on bnet to function.

EDIT:
Do you really think blizzard coupled the AH into the actual D3 server binaries? They already have the technology to have a remote AH since they are doing it with WoW and they plan to create a RMAH in D3.

Don't think think they want little Jimmy to be sitting on a train while he comes home from school and be able to buy that shiny sword for $18 through his mobile phone? Sure they do.

Come back when you're been a software developer for over a decade and then we'll talk system architecture.
Edited by viscrom#1983 on 5/21/2012 11:44 AM PDT
Reply Quote
@Caius - You seem to be rael smart so here.

^ Explain how people with Auth are getting hacked, and how they are changing our passwords without using email verification? Thanks.

On subject, AH is my leading guess also.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]