Diablo® III

I thought Blizzard security is good, no httpS

Omg u guys are right!!! How did Blizzard miss this??? I will call customer service right now so they can fix this immediately
Reply Quote
You guys seem like you know your security so I will ask another question. Why not ask the secret question on login or rotate between 5 of them like SWTOR does? Does it not add another layer to the protection?
Reply Quote
This thread has some very interesting points and ideas. Seems to me overall that Blizzard has completely dropped the ball on this one
Reply Quote
05/22/2012 08:39 PMPosted by Malicar
You guys seem like you know your security so I will ask another question. Why not ask the secret question on login or rotate between 5 of them like SWTOR does? Does it not add another layer to the protection?


That's a solution :)

But so is
turning on auto-lock out on failed attempts
making the passwords more complex (either by dual case or extending it, or both)
adding a CAPTHCA
The list goes on....

The problem is these are simple solutions to things that have plagued IT security for many years...Blizz should have known better.
Reply Quote
MVP - Technical Support
Posts: 1,113
View profile
Yeah, I just had to send an "oh sh**" email to have them fix the privacy issue that I forgot to send in. :(
________________________________________________
Tech Support MVP
"...and, we're back!" -Google
Reply Quote
Posts: 1,127
05/22/2012 08:40 PMPosted by Gloodizzle
This thread has some very interesting points and ideas. Seems to me overall that Blizzard has completely dropped the ball on this one


I don't know what's more scary.

The fact that something like this could even happen (this is beyond negligence), or if it were purposely done just to battle harden their authentication before introducing the RMAH.

One thing is for certain though. You guys just witnessed how security vulnerabilities are found. This didn't even take 30 minutes to unravel multiple very serious / very big problems with D3's authentication mechanism.

Just a couple of dudes posting on a game forum at 11:30pm. There was no master plan or months of research.
Edited by viscrom#1983 on 5/22/2012 8:45 PM PDT
Reply Quote
Yeah, and it's already been published in an edit to my latest blog post, as I've been watching the threads all damn day to find the possible causes. http://www.game-boyz.com/content/node/18677

Jesus.
Reply Quote
05/22/2012 08:45 PMPosted by fremd
This thread has some very interesting points and ideas. Seems to me overall that Blizzard has completely dropped the ball on this one


I don't know what's more scary.

The fact that something like this could even happen (this is beyond negligence), or if it were purposely done just to battle harden their authentication before introducing the RMAH.

One thing is for certain though. You guys just witnessed how security vulnerabilities are found. This didn't even take 30 minutes to unravel multiple very serious / very big problems with D3's authentication mechanism.

Just a couple of dudes posting on a game forum at 11:30pm. There was no master plan or months of research.


To be fair, I'm sitting in a NZ Defence Force computer support branch running a filter search on employee browsing habits at 1545 :P
Reply Quote
05/22/2012 08:45 PMPosted by fremd
This thread has some very interesting points and ideas. Seems to me overall that Blizzard has completely dropped the ball on this one


I don't know what's more scary.

The fact that something like this could even happen (this is beyond negligence), or if it were purposely done just to battle harden their authentication before introducing the RMAH.

One thing is for certain though. You guys just witnessed how security vulnerabilities are found. This didn't even take 30 minutes to unravel multiple very serious / very big problems with D3's authentication mechanism.

Just a couple of dudes posting on a game forum at 11:30pm. There was no master plan or months of research.


Uh all you really did was pat yourself on the back and talk about WHAT WE ALL ALREADY KNOW. Jesus you are full of yourself.

You got phished, but refuse to accept that even though it has been happening to people for years. You should know this, "you are a developer".
Reply Quote
05/22/2012 08:45 PMPosted by fremd
This thread has some very interesting points and ideas. Seems to me overall that Blizzard has completely dropped the ball on this one


I don't know what's more scary.

The fact that something like this could even happen (this is beyond negligence), or if it were purposely done just to battle harden their authentication before introducing the RMAH.

One thing is for certain though. You guys just witnessed how security vulnerabilities are found. This didn't even take 30 minutes to unravel multiple very serious / very big problems with D3's authentication mechanism.

Just a couple of dudes posting on a game forum at 11:30pm. There was no master plan or months of research.


Yeah sorry I was kinda hard at you in the beginning....

I am shocked at what I found within a few mins, I went from thinking you were crazy for thinking Blizzard wouldn't have tested their session management to assuming it is probably broken in the most obvious of ways.

It looks like they went and read a book on how to secure a webapp and then purposely ignored all of it.

I will be playing with session handling tonight. If I find anything I will be sure to steal all your CC info then report it :D

Just kidding (about the CC info thing)
Reply Quote
Just wanted to add that Google serves pages after login as https not as a security measure, but as a privacy one. Serving all your search results over SSL prevents someone from casually snooping on the content you're requesting. After the initial login, your credentials are still saved as a local cookie.

And while yes, case-sensitivity in passwords does make it objectively harder to crack, I've read many articles that advocate for requiring longer passwords instead. The argument is that the passwords are more "memorable" and thus people are a) less likely to need a reset since they forgot which letters were caps and b) less likely to just write the password on a sticky note attached to their monitor, thus defeating the purpose. One side has math in its favor and the other has psychology; the best compromise for those concerned is getting an authenticator because two-factor authorization is clearly superior to both.
Reply Quote
05/22/2012 08:42 PMPosted by Glides
You guys seem like you know your security so I will ask another question. Why not ask the secret question on login or rotate between 5 of them like SWTOR does? Does it not add another layer to the protection?


That's a solution :)

But so is
turning on auto-lock out on failed attempts
making the passwords more complex (either by dual case or extending it, or both)
adding a CAPTHCA
The list goes on....

The problem is these are simple solutions to things that have plagued IT security for many years...Blizz should have known better.


In prep for D3 i realized my WoW account had been hacked also. However no breach ever occurred on the associated email or website to my knowledge. No passwords were ever changed. The account was somehow banned for whatever reason. Now all this goes down and I can only wonder why there are not more security measures here at Blizzard that don't involve authenticators.

I do my part in securing my system and following a strict set of guidelines and here we have Blizzard of all companies not even using standard practice to secure one of the largest gaming netowrks in the business. Not to mention one with a real money auction hall. This whole situation really stinks something fierce. I'm not really happy about it at all.
Reply Quote
Can you add a SC2 license to my account while your at it :)
Reply Quote
25 Blood Elf Priest
250
Posts: 7,949
Everybody and their brother are security experts. Curious.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]