Diablo® III

I thought Blizzard security is good, no httpS

Posts: 1,127
Why can I make posts on the forums through a non-secure http connection. Go look at your cookies for this web site. There's a login.key as well as multiple session IDs.

These hold credentials that are transferred to and from the server when you make a post to the forums. They are being sent over an unsecure network (http is NOT secure). If someone were to get your login.key and refresh their browser they could potentially become logged in as you depending on how Blizzard has their session management layer setup.

The authentication server for battle.net is coded to support http(s) requests (remote auction house in WoW). It's possible the game client is also transmitting your information insecurely, possibly even in plain text when you actually send the e-mail/password.

Between this and passwords not being case sensitive I cannot believe that Blizzard is invulnerable to exploits. This is just sheer negligence.
Reply Quote
Blue needs to address this, I too have been poking around, and seeing some questionable security issues as it relates to data transfer.
Reply Quote
SSL is still broken to MITM attacks.
You are assuming they also have broken session management.

They are using JavaScript too, they must be vulnerable to XSS huh?
Rather then starting a conspiracy theory that the client is sending your password in plain-text...why not open up wireshark and sniffer the packets out and have a look yourself?

Knowing how exploits work vs actually doing it in the wild = very different topics.
Reply Quote
Posts: 71
Can you tell me which gaming website that uses https where their account is connected to both the web page and game?

Because League of Legends doesn't have https..
Edited by Superstore#1699 on 5/22/2012 7:30 PM PDT
Reply Quote
90 Blood Elf Mage
10690
Posts: 136
every login page is https.

do you not understand how web pages work?
Reply Quote
Posts: 1,127
I'm not spreading any conspiracy theories.

Look at Google. If you're not logged in then they serve their pages unsecurely with regular http.

As soon as you login to Google every single page you ever touch is secure (https). Google values the security of your account.

They are not the only large web site that values the security of their users.
Reply Quote
Posts: 71
every login page is https.

do you not understand how web pages work?


Actually, only web page that have https enabled will have https.
Reply Quote
every login page is https.

do you not understand how web pages work?


Actually, only web page that have https enabled will have https.


Which is the LOGIN PAGE. That is the only place it is needed.

omg i need https for my uber posts

Come on guys...especially you fremd
Reply Quote
The login page is https

In theory, they could get your cookies and login as you, but they've have to have a program on your computer already, and that's honestly not Blizzards problem.
Reply Quote
Posts: 1,127


Actually, only web page that have https enabled will have https.


Which is the LOGIN PAGE. That is the only place it is needed.

omg i need https for my uber posts

Come on guys...especially you fremd


If that were the case then Google wouldn't be wasting extra CPU cycles and money to serve their entire web site through a secure connection after you login.

Having a secure login page is not close to enough.
Reply Quote
Good job, you learned a security term, and now you're here to show off.

If someone can get a hold of your keys you're already screwed, and it means you're not doing a lot of things right.

That's not Blizzard's fault.
Reply Quote


Which is the LOGIN PAGE. That is the only place it is needed.

omg i need https for my uber posts

Come on guys...especially you fremd


If that were the case then Google wouldn't be wasting extra CPU cycles and money to serve their entire web site through a secure connection after you login.

Having a secure login page is not close to enough.


How about you worry about not getting phished and let the big boys (the ones that are actually doing the work) worry about security.
Reply Quote
Posts: 1,127
Learned? Sure, about 8 years ago.

It just dawned on me now that I'm transferring the keys to my personally identifiable information through an unsecure connection on a multi-million dollar corporation's web site that is about to introduce a RMAH and is currently suffering from having a non-trivial amount of player's accounts compromised.
Reply Quote
So explain this to me.. if this site is unsecured they can log in as me...
the worst that will happen is they post some rubbish on the forums.. they can't bypass authenticator, they CANT log into Diablo 3 through my webpage can they?
so explain how they can get my gold IN GAME just by being logged in as me on this forum?
Reply Quote
I am fully aware of how SSL works.

I make a living by doing security audits. Basically I get paid to be a hacker, as long as I write up a report about it and tell them how to fix it.

Each site is different, just because google does it one way doesn't mean that's how battle.net does it.

And trust me just because you don't see HTTPS doesn't mean you aren't secure.

Even if you did see HTTPS - HTTPS is still flawed - if you have someone sniffing traffic on your network chances are they know how to use SSLstrip and defeat SSL security completely.

This means you need someone on your network already that is acting as a Man-in-the-middle to sniff out the session info. You have bigger issues to worry about that Diablo 3 is this is the case.

Session info can be safely written to cookies and sent plain-text if the session management is done properly.
Reply Quote
My source is my career, not google.
Reply Quote
Posts: 1,127


If that were the case then Google wouldn't be wasting extra CPU cycles and money to serve their entire web site through a secure connection after you login.

Having a secure login page is not close to enough.


How about you worry about not getting phished and let the big boys (the ones that are actually doing the work) worry about security.


Cool story. Can you post me any examples or thought processes you've had on systems that you've engineered over the years where you were in charge of creating a multi-layered scalable authentication solution that is designed to be used on a high traffic site.

Would you like to compare security notes that you've gathered over the years into a public open site that people can contribute to. Perhaps we could swap Github profiles and discuss development related security issues in a Gist or 2?

I'm more than willing to communicate with a fellow developer. I live for this stuff.
Reply Quote
Developer /= Security Expert

I am reminded of this every time I find a 0day
Reply Quote


How about you worry about not getting phished and let the big boys (the ones that are actually doing the work) worry about security.


Cool story. Can you post me any examples or thought processes you've had on systems that you've engineered over the years where you were in charge of creating a multi-layered scalable authentication solution that is designed to be used on a high traffic site.

Would you like to compare security notes that you've gathered over the years into a public open site that people can contribute to. Perhaps we could swap Github profiles and discuss development related security issues in a Gist or 2?

I'm more than willing to communicate with a fellow developer. I live for this stuff.


I'm not a developer, and it is quite obvious you are less of one that you would like to think.

Seriously, you got phished. Stop coming up with these huge claims like you are some professional that just figured out what a billion dollar company doesn't know. You didn't.
Reply Quote
Posts: 1,127
05/22/2012 07:42 PMPosted by Glides
Session info can be safely written to cookies and sent plain-text if the session management is done properly.


Like I said in my original post, I have reason to believe this is not the case in Blizzard's case. Every day that I look at their system as an outsider I find a new vulnerability in their system without even trying.

Today I realized posts are sent unsecurely.
Yesterday I typed my password in and I forgot a capitol and it still worked.

Total insanity IMO. They are about to link your Paypal or bank accounts to their accounts in preparation for their RMAH.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]