Diablo® III

I thought Blizzard security is good, no httpS

MVP - Technical Support
View profile
Yeah, and it's already been published in an edit to my latest blog post, as I've been watching the threads all damn day to find the possible causes. http://www.game-boyz.com/content/node/18677

Jesus.


Heh:

Portion of Users: A lot, as the most common business password in NA is "123456". I wish I was joking on this one.


I used to run the site unrealbnet.com which I later moved to teelosdomain.net
My registration page says that I don't encrypt the passwords, which is deliberate. Until I insisted some of my users change their passwords, half of them had used synonyms for !@#$% as their password.

I think I found an sql-injection for that back in the day :/

Oh, hi again btw, Teelo!
________________________________________________
Tech Support MVP
"...and, we're back!" -Google
Reply Quote
90 Draenei Paladin
12020


How about you worry about not getting phished and let the big boys (the ones that are actually doing the work) worry about security.


Cool story. Can you post me any examples or thought processes you've had on systems that you've engineered over the years where you were in charge of creating a multi-layered scalable authentication solution that is designed to be used on a high traffic site.

Would you like to compare security notes that you've gathered over the years into a public open site that people can contribute to. Perhaps we could swap Github profiles and discuss development related security issues in a Gist or 2?

I'm more than willing to communicate with a fellow developer. I live for this stuff.


I think you just won the internet.

+1

p.s. you are intimidating >=(
Reply Quote
05/22/2012 08:50 PMPosted by Glides


I don't know what's more scary.

The fact that something like this could even happen (this is beyond negligence), or if it were purposely done just to battle harden their authentication before introducing the RMAH.

One thing is for certain though. You guys just witnessed how security vulnerabilities are found. This didn't even take 30 minutes to unravel multiple very serious / very big problems with D3's authentication mechanism.

Just a couple of dudes posting on a game forum at 11:30pm. There was no master plan or months of research.


Yeah sorry I was kinda hard at you in the beginning....

I am shocked at what I found within a few mins, I went from thinking you were crazy for thinking Blizzard wouldn't have tested their session management to assuming it is probably broken in the most obvious of ways.

It looks like they went and read a book on how to secure a webapp and then purposely ignored all of it.

I will be playing with session handling tonight. If I find anything I will be sure to steal all your CC info then report it :D

Just kidding (about the CC info thing)


No problem.

When you said you were able to get a list of e-mail addresses, was this by using their btag as a key or did you figure out a way to actually get multiple e-mails without any key?
Reply Quote
Aaand an editorial, 'cos obviously this needs to be spread: http://www.game-boyz.com/content/node/18678

Proper credit given to Fremd and Maged, if there's someone I missed, let me kinow immediately here.
Reply Quote
90 Draenei Paladin
12020
I think I just came to the realization that I know absolutely nothing about almost anything in this thread. How very discouraging.

WOOOSH
Reply Quote
Aaand an editorial, 'cos obviously this needs to be spread: http://www.game-boyz.com/content/node/18678

Proper credit given to Fremd and Maged, if there's someone I missed, let me kinow immediately here.


:(
Reply Quote
I'll fact check that, and edit it in if i can get a source, thank you, Teelo.

EDIT: Oh, Glide too? Gotcha! XD
Edited by ReviewerJay#2705 on 5/22/2012 9:06 PM PDT
Reply Quote
Aaand an editorial, 'cos obviously this needs to be spread: http://www.game-boyz.com/content/node/18678

Proper credit given to Fremd and Maged, if there's someone I missed, let me kinow immediately here.
The same problem existed with WoW after battle.net 2.0 came out, until someone pointed out the error and they fixed it.

Then the same problem happened again with Starcraft 2 until someone pointed out the mistake and they fixed.

Then the same problem happened again with the new forums.


Lol, guess they will never learn... ><
Reply Quote
MVP - Technical Support
View profile
05/22/2012 08:56 PMPosted by fremd
When you said you were able to get a list of e-mail addresses, was this by using their btag as a key or did you figure out a way to actually get multiple e-mails without any key?

I'd prefer if this wasn't discussed, since the entire Battle.net email list could be leaked. Blizzard is now aware of the issue.
________________________________________________
Tech Support MVP
"...and, we're back!" -Google
Reply Quote
85 Human Death Knight
2705

I'm sorry, but if you're already using a password that would be in a dictionary, you've already lost, regardless of case sensitivity.

Thousands of dollars per day can be saved in support resources by making passwords case-insensitive.

And again, bruteforce attacks are only possible if you get direct access to the database. Very basic defenses - hell, the lag of the internet itself - are enough to defend against a dictionary attack attempted over the internet.
________________________________________________
Tech Support MVP
"...and, we're back!" -Google


Completely false. I do this for a living.


please... just stop saying stuff like "im an expert" and "i do this for a living".

It sounds more and more like you are NOT and do not.
Reply Quote
Not gonna post about that one, Maged, got my word on that. After all, that's a *really* serious hole that should only be mentioned *after* the fact.
Reply Quote
When you said you were able to get a list of e-mail addresses, was this by using their btag as a key or did you figure out a way to actually get multiple e-mails without any key?

I'd prefer if this wasn't discussed, since the entire Battle.net email list could be leaked. Blizzard is now aware of the issue.
________________________________________________
Tech Support MVP
"...and, we're back!" -Google


Agreed, I had out what I did - then decided not to post.
Edited by Glides#1858 on 5/22/2012 9:12 PM PDT
Reply Quote
MVP - Technical Support
View profile

I'd prefer if this wasn't discussed, since the entire Battle.net email list could be leaked. Blizzard is now aware of the issue.


Agreed, I had out what I did - then decided not to paste.

Still send what you have to Blizzard. My report was not very detailed, since I never did have time to investigate it fully.
________________________________________________
Tech Support MVP
"...and, we're back!" -Google
Reply Quote


Completely false. I do this for a living.


please... just stop saying stuff like "im an expert" and "i do this for a living".

It sounds more and more like you are NOT and do not.


I'm sorry, who are you?
Reply Quote


Agreed, I had out what I did - then decided not to paste.

Still send what you have to Blizzard. My report was not very detailed, since I never did have time to investigate it fully.
________________________________________________
Tech Support MVP
"...and, we're back!" -Google


I will.

I was planing on looking at session management tonight and writing up my concerns. Regardless if we have agreed on everything talked about here...I think we can agree that..

No Lockout + Weak Passwords + gathered username list = easy target. Even over the internet :D
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]