Diablo® III

Session Spoofing

100 Human Paladin
15970
Posts: 3,388
06/05/2012 12:26 PMPosted by Daemonne
BUT, when I am in a party with other players and I log off, a message pops up on my screen saying that I will not (paraphrasing to the best of my recollection) be logged out of the game or cease to part of the party or something.


That's pretty much the exact opposite of what is said.
technically impossible? really?

any people who's a bit aware of computer networking and security would tell you that nothing's impossible.

the probability might be low, and i believe that whats currently happening might be something different than this spoofing described here.

BUT, whoever stated in a previous post that, in a spoofing case, the IP has to be spoofed too is right, but the point is that it is perfecly possible to spoof this IP without even doing anything on tgt IP, so no way the victim can be somehow responsible / infected / whatever.

it is not easy, but it is possible.

also, regarding the facts (and only the facts).

- lotta ppl getting hacked (several hundreds, maybe more)
- only D3 account "stolen"
- seems only the last played character is targeted (to be confirmed)

this let the keylogger probability go to........0.0000000000001%

reason is easy, all those ppl would have had ALL their char wiped out AND probably would have also suffered of different sides effect, such as a paypal account stolen / bank acount / steam acount etc.., you know, something more sensitive that would, with no doubt, interest ppl driven by money.

so the logical conclusion is that,maybe some users are somehow infected, ut the majority of the hacked ppl had nothing to get blamed about, and the issue is somewhere server-side.

strange fact: the hack begun just after the mysterious server crash that happened the first sunday, and don't make me believe it was a planned maintenance from Blizzard, on a sunday afternoon.

so what would be great for Blizzard to do, is to keep investigating clearly this issue (and i believe this is their top priority when i write those lines)
OFFER the rollback for the hacked ppl, not fair for them to be punished a 2nd time

stop blaming the player, while it is a great thing (and necessary) to make them change pwd and check their systems are sane, it is really rude to just respond them "this is all your fault" while obviously, this is not, and more the time goes, more obvious it is.


You cant spoof an ip address. If you attempted to spoofe my ip, you would send the packets and the server might reply by send the packets to me, if they didnt ignore the packets alltogether.

You can poison a user and route all of their traffic through you. If you have that much control of them, then you likely have enough to get their userid and password anyway.
90 Human Rogue
13760
Posts: 71
I think some other things that should be covered are about the flash exploit and others that have existed. I've had computers attacked by malicious viruses browsing MMO-Champion and Memebase.com. Sites that have millions of views per day and are rarely thought of as being threatening. It comes from the advertisements that sometimes load. Usually they are blocked but if its a 0 hour exploit, they can infect your computer, sometimes without you even knowing it, and, in some scenarios, can read your keypresses (such as the adobe flash exploit mentioned) without infecting your computer with anything.

Something people forget is that Blizzard suggests using different e-mail/pw for battle.net than anywhere else. This is for many good reasons and one of which is above. The other is how Blizzard requires a password to be reset.

I've logged into a reliable site before and had my e-mail hijacked (It only took a password change to stop it.) If they have your e-mail, they can easily change your password for battle.net. And, if you go to change it back, all they do is read the e-mail that says "if this wasn't you, please click here." and it cancels any password change.

Point being, it doesn't have to be a keylogger, a friend, whatever. You don't have to buy gold or click on an e-mail. This can happen to anyone and the best preventative measure is getting an authenticator and following all of the steps blizzard provides.

Edit: I read an article from forbes about the guy getting his account hijacked. It was full of ill-information. The one part that got me was when he said he is "not some 12-year-old kid." Clearly, he avoided protecting his account to the fullest, as stated in the article, and because he is not some immature person, he feels it shouldn't happen to him and it must be someone else at fault. His article was really mature...

Again, things happen. Anything can happen to anyone. "I'm a safe driver and will never get into a wreck, so I don't have to wear a seatbelt." until you get rear ended at a stop light by someone who wasn't paying attention and your head goes through the windshield. I believe that is a great analogy. It must be your cars (Blizzards) fault right?
Edited by VladTship#1441 on 6/5/2012 12:35 PM PDT
I think by 'mindful' you mean cocky. The people who think everyone who gets hacked is an idiot. But really, it's not just sex leg and baggle.net. It's infected ads on legit sites and popular fan sites. It was months or years ago, when you last changed your password. I know plenty of people who got hacked in WoW after months of making fun of people who got keylogged, thinking they were above it.

Just takes one slip up and it's not as obvious as we like to joke about. You don't know you did something wrong, otherwise you would clean up your computer and change your password.

And really? You think your computer security is better than a huge company who pays people to make sure their security is baller? Probably not.


I have never been hacked. Including in this game. Like it or not, some people are able to manage their own security. Having a huge company does not make your systems more secure, in fact, it opens them up to more potential for compromise.


Ok? And the point I was trying to make is that your computer and account security is your own responsibility and that thus far all compromises have been user-end.
Posts: 51
It sounds more like they're trying to make sure people are aware that they really do care if they were being hacked, but they're not at this moment. But if they are and you find out, hit them up bro.

Everything is a conspiracy to some people.


Yup, when Rift was hacked and a user discovered the exploit he was on the phone with developer's at Trion within minutes after announcing it on the forums. He even requested they contact him because he put in big bold letters that he discovered how it was done and was able to replicate it. I have yet to see anyone make that claim in this case, and of the 7 million copies + of this game sold there are a fair number of tech savvy folks who I'm sure have tried seeing if it could be a server side exploit and have come up with squat.
Edited by Ravenloft#1590 on 6/5/2012 12:32 PM PDT
100 Night Elf Hunter
11885
Posts: 9,197

Yes obviously it is them asking for help. They have yet to be able to reproduce what people are 'reporting' so they are asking for help to see if someone else can reproduce it in order for them to fix this supposed hole. This is the basis for any anti-virus company, and the best way to fix a security hole is to know how it has been exploited.

I fail to see your point.


You've got a very vocal 20% of the forum being diehard blizzard supporters who are flaming everyone who posts a "I got hacked" thread, saying "its ur fault lololo" and blaming it on keyloggers/trojans/malware/phishing/etc and saying theres zero chance Blizzard has been compromised.
And then you've got Blizzard acknowledging their might be a hack going on they don't know about and its in the realm of possibility and to forward them any help if you have it

The wavelengths don't mesh well


Okay, now you're making stuff up.
06/05/2012 12:19 PMPosted by kweagle


Consider their customer base size and the relatively few instances of account compromises.


Consider the game has only been out a few weeks, and the hacking is only getting worse.

Besides, that has nothing to do with the fact that like it or not, there are people out there who are smart enough to keep their information secure. The authenticator is a band aid for a problem Blizzard does not know how to fix.


Consider that doing the first few weeks, the account were not worth hacking. You don't hack an account first day. With everyone being a level and 0 gold. that would be a waste of the account information you have. No you let them build up the accounts for a few weeks first.
Posts: 1,305
View profile


Unfortunately we do not accurately know the statistics. Based on the number of copies sold to the number of legitimate complaints, the numbers could be completely stable.

You are basing you information on people posting here on the forums, a lot of which seem to be retaliating against Blizzard because they feel the game is a disservice to their expectations.

You do not know the hard numbers so you can not make the claims that you are. All we can do is look at the communication Blizzard is feeding us, look at what they would have to lose for trying to hide something like this and compare that against the randoms who are posting and the fact they have nothing to lose by making false claims.

The spoofing theory has been disproven by Blizzard already. This is about account compromises, which can get you to such information.


I believe you are the one that said "Consider their customer base size and the relatively few instances of account compromises." Sounds like you know some hard numbers yourself, doesnt it? Or is that just a fabrication to make your argument sound stronger.

Dont talk to other people about providing false statistics, which I didnt, when you are attempting to do the same thing.


When they have sold over 7 million copies of the game and based on what we see on the boards, you can make logical conclusions.

We do not know the most up to date numbers on the copies sold and how that compares to new complaints so we cannot say if it is getting worse.

If they told us that since the 7 million mark they had only sold 1 more copy, yet there are relatively more complaints, we could make another judgement call.

This isn't rocket science.

The spoofing theory has been disproven by Blizzard a


As I stated, just becasue Blizzard says so, doesn't mean it is 100% true. companies lie all the time to protect their interest, even if a PR nightmare or illegal.

Apple breaks the law all the time, they get caught lying all the time, they don't care because they are teflon, and the fines are nothing to what they have sitting in the bank.

Price fixing is illegal, but is there anyone here that doesn't think the oil companies collude with respect to the price? It is illegal, but do they lie? yes.


And once again you need to understand how much worse it would be if they were found out. We already covered that.

Also, you need to do some more research on the Apple deal and as for OPEC, that isn't something the US has much power in regulating.

You seriously need to do some research if you are going to try and make such comparisons.
Edited by MutantMonkey#1724 on 6/5/2012 12:35 PM PDT
85 Draenei Shaman
2455
Posts: 603
I am sorry, but how pathetic does your computer knowledge have to be that you get hacked in the first place?

If you aren't intelligent enough to know how to protect your computer from viruses and malware then you should probably not even own one.


That's a ludicrous statement. I can guarantee you are not even as secure as you seem to think you are. You can get hacked through Adobe Flash, Adobe Reader, Firefox, and a multitude of other ways - and mots of them aren't even known to your better than average computer user. I agree everyone should have an authenticator, but your attitude is pathetic - I've seen it too much on this boards.
I don't have an authenticator, and I play public games all the time. I haven't changed my password in 6 months. I look forward to being hacked.

Seriously though, there are way too many people who think that the dial-in authenticators work with Diablo. Blizzard, If you won't make a post about it in the breaking news in-game, at least give the topic it's own sticky, all with big bolded letters. I know it sucks to deal with a fanbase with an average IQ of 0, but you can still do a better job of making things more stupid-proof.
100 Human Paladin
15970
Posts: 3,388

That's a ludicrous statement. I can guarantee you are not even as secure as you seem to think you are. You can get hacked through Adobe Flash, Adobe Reader, Firefox, and a multitude of other ways - and mots of them aren't even known to your better than average computer user. I agree everyone should have an authenticator, but your attitude is pathetic - I've seen it too much on this boards.


One of the worst WoW "hacks" was an exploit in Flash.
Someone can really put this subject to rest by checking their connection to the Blizzard server(s) ever changes while they are playing the game.
The only point of vulnerability of session hijack is during a change of connection to a different server(after the game started). If the game remain connected to the same server for a complete act or through all of the acts, then it is impossible to hijack the session. Even if it does change servers during certain actions or points in the game, the hackers would have to know ahead of time in order to take advantage of it and if Blizzard took extra precaution on coding that part of the game, it would be near impossible to hijack the session. Also if session hijacking did existed, then a session jacking would appear consistently on certain actions/points in the game which the victims of the hacking would of noticed from all the similar reports/posts.
LOL. Three out of six of my closest friends got their accounts hacked, including myself. I didn't even realize I got hacked until after I got my refund and now I'm even more happy I got my refund. There is a serious issue with hackers and Blizzard can't fix it yet so they are blaming the playerbase for their !@#$ty security for people without authenticators.

Just get a refund if you are mad at how %^-*ty this game is. You have until 6-14-12 to get a refund. Call customer support until the automated message doesn't hang up on you, wait on hold for an hour or two, eventually speak to someone in the billing department and ask for a refund. It's that easy. They don't even ask you why you want a refund, they already know people are upset with this game. This is my very last post on these !@#$-infested forums for this garbage game. Get your money back and show Blizzard what they are doing is unacceptable. Don't encourage them by buying a $6.50 authenticator if you don't have a smartphone that is compatible ($24 dollars in Canada and even more in other countries).

This refund guide is for people who bought a digital copy from blizzard.

Enjoy your terrible game, haters.
Edited by Matten#1256 on 6/5/2012 12:35 PM PDT
100 Human Paladin
15970
Posts: 3,388
06/05/2012 12:33 PMPosted by GiveMeWater
Blizzard, If you won't make a post about it in the breaking news in-game, at least give the topic it's own sticky, all with big bolded letters.


It is in the FAQs. Blizzard can't make people read.
100 Blood Elf Paladin
13270
Posts: 14,043
BUT, when I am in a party with other players and I log off, a message pops up on my screen saying that I will not (paraphrasing to the best of my recollection) be logged out of the game or cease to part of the party or something. Sorry I have a horrid memory for things that I only see a couple of times.


It says that you WILL be logged out of the game and removed from the party.
Posts: 51
06/05/2012 12:33 PMPosted by GiveMeWater
Seriously though, there are way too many people who think that the dial-in authenticators work with Diablo. Blizzard, If you won't make a post about it in the breaking news in-game, at least give the topic it's own sticky, all with big bolded letters. I know it sucks to deal with a fanbase with an average IQ of 0, but you can still do a better job of making things more stupid-proof.


This part I do agree with. I suspect there's someone in their marketing team though that keeps pushing back against this, as they don't want "hacking" or "account compromise" to be anywhere near the first thing a diablo 3 players sees. Unfortunately this isn't tin foil hat theory, it's simply all too common when practical concerns meet marketing / brand image.


Yeah, and it's a good thing you're not a hacker. If blizzard knows I'm hacking them, I'm not much of a hacker then am I?

That made even less sense then your first post. No matter how good you think you are, you always leave traces. Besides, most of what people consider today is nothing but scriptkiddie toolkits, running against known exploits.

I've had a 'nix honeypot running our network for nearly a year, with a IIS header. Guess what it get's hammered with? IIS exploits from automated tools. Yeah...hacking...


And no matter how good you think you are, you don't always find those traces. Looks like Blizzard is having issues as well, hence their feeling the need to vocalize this.
Edited by Applesoup#1860 on 6/5/2012 12:37 PM PDT
06/05/2012 12:19 PMPosted by DeadlyJoe
am sorry, but how pathetic does your computer knowledge have to be that you get hacked in the first place?


I have a master's degree in computer science, but you think that keeps me safe? Hell no. I use the mobile authenticator.


Out of curiosity what is/was your thesis on? Mine is going to be on malware packing/unpacking techniques and general anti-code obfuscation algorithms. I'm still an undergrad though, one more year of my 4-year major degree in CompSci.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]