Diablo® III

Session Spoofing

06/05/2012 12:30 PMPosted by Vladimeir
I think some other things that should be covered are about the flash exploit and others that have existed. I've had computers attacked by malicious viruses browsing MMO-Champion and Memebase.com.
Don't forget about javascript. A bunch of companies rolled out updates today for a flashed based TSR logger, and another for a series of JSinjectors that would 'phone home' and delete themselves after their deed was done.
48 Undead Mage
830
I don't have an authenticator, and I play public games all the time. I haven't changed my password in 6 months. I look forward to being hacked.

Seriously though, there are way too many people who think that the dial-in authenticators work with Diablo. Blizzard, If you won't make a post about it in the breaking news in-game, at least give the topic it's own sticky, all with big bolded letters. I know it sucks to deal with a fanbase with an average IQ of 0, but you can still do a better job of making things more stupid-proof.


This. I've been posting about this for weeks. The issue is now AWARENESS. Blizzard, help your customer base. Yes, it's probably the client's fault that s/he got "hacked," but why not add a link to the authenticator on the login launcher so that the other 98% of D3 players know about it?
TLDR: "we don't think we've been hacked."

Reality: They've been hacked and can't figure out how to stop it.


If this were the case everyone with an authenticator would've been hacked as well as those without.

Of my group of friends, one was hacked and he did not have an authenticator. Myself, my family, and many friends have no been hacked and all of us have authenticators. I've ever posted my password on these forums and still have no been hacked. Why? Because I use an authenticator.

Many of us, myself included, play in public games often.
When they have sold over 7 million copies of the game and based on what we see on the boards, you can make logical conclusions.

We do not know the most up to date numbers on the copies sold and how that compares to new complaints so we cannot say if it is getting worse.

If they told us that since the 7 million mark they had only sold 1 more copy, yet there are relatively more complaints, we could make another judgement call.

This isn't rocket science.


Based on what we see on the boards, huh? Well What I see is about 3 in ever 10 threads talking about being hacked. So am I to assume you think 30% of people playing the game have been hacked?

Or are you going to use the excuse, "well, there have only been a few hundred threads about hacks on the forums, so that must mean only a few hundred have been hacked." By using that statement you assume that every person who has been hacked is posting on the forums. My guess would be most people who have been hacked have no idea what happened, and didnt even report it. Just chalked it up to a glitch.
Wow the suggestions here.

"Maybe you should flash an authenticator image next to characters"

"Maybe you should have it say 'GET AUTHENTICATOR' at login"

Really guys?

I mean REALLY!?

I know this will sound cliche but damn, BACK IN MY DAY WE TOOK RESPONSIBILITY FOR OUR OWN DOWNFALLS.

If I got hacked, it was because my comp wasn't secure or my password was laughably easy to figure out.

Password still is, thank you authenticator.
its so sad that blizzard pretty much has to write things out as simple as possible and then explain the simple statement because people cant comprehend anything these days.

I know plenty of people with out authenticators that have not got hacked. So maybe you should get rid of your keyloggers on your computer. It sad that people blame getting hacked on blizzard and then they get hacked again because they didnt remove the thing that was hacking them in the first place.
Unless you, personally can session-spoof, how do you know it can be done? If it can be done, then do it. Until any of you actually does it, I believe one of the richest companies in the world is capable of hiring programmers knowledgeable enough to know what can and cannot be done.

Couple things. A programmer is not a hacker. The base mindset and resources available are completely different. The way you look at code is different.

Secondly, unless you, personally can perform a MITM attack how do you know it can be done? Forget all the online articles about how to do it, all the people who've been victims, etc. Until you, personally can do it, shut it. That's basically what you just said.

About rich companies, Sony Online Entertainment was deeply compromised for a WHILE yet at first denied being hacked. The more you have to gain means you have a crap ton to lose. So, lie lie lie until you *can't* lie anymore is generally how corporate PR works. It's better to ask forgiveness than permission, no?


I'm pretty sure blizzard is not one of the richest companies in the world lol (they arent). Maybe one of the richest companies that produces video games...but I'm not so sure that our world's best and brightest are going into video game design.
Edited by Applesoup#1860 on 6/5/2012 12:44 PM PDT
When they have sold over 7 million copies of the game and based on what we see on the boards, you can make logical conclusions.

We do not know the most up to date numbers on the copies sold and how that compares to new complaints so we cannot say if it is getting worse.

If they told us that since the 7 million mark they had only sold 1 more copy, yet there are relatively more complaints, we could make another judgement call.

This isn't rocket science.


Based on what we see on the boards, huh? Well What I see is about 3 in ever 10 threads talking about being hacked. So am I to assume you think 30% of people playing the game have been hacked?


Are you really that dense?

Let me break this down for you in very a very simple way.

Lets say there are 100 complaints on the boards. Lets assume that 100 makes up 1% of the total complaints. That equates to 10000 complaints.

10,000 out of 7 million is less than 1%. More specifically it is .14%.

I'm sure you will not like the numbers I used because it highlights just how few cases are going on, so provide me with what you feel are realistic numbers and we will do the math.
Edited by MutantMonkey#1724 on 6/5/2012 12:50 PM PDT


Based on what we see on the boards, huh? Well What I see is about 3 in ever 10 threads talking about being hacked. So am I to assume you think 30% of people playing the game have been hacked?


Are you really that dense?

Let me break this down for you in very a very simple way.

Lets say there are 100 complaints on the boards, both legitimate and illegitimate. Lets assume that 100 makes up 1% of the total complaints. That equates to 10000 complaints.

10,000 out of 7 million is less than 1%.

I'm sure you will not like the numbers I used because it highlights just how few cases are going on, so provide me with what you feel are realistic numbers and we will do the math.


You consider the number 10,000 to be small? umm. ok.
what a useless article. it's sad what gets passed off for journalism these days.

so you opened up wireshark and saw some packets? no way! how unexpected?!

provide a proof of concept of "session spoofing" or you are talking out of your !@#. plain and simple.


Are you really that dense?

Let me break this down for you in very a very simple way.

Lets say there are 100 complaints on the boards, both legitimate and illegitimate. Lets assume that 100 makes up 1% of the total complaints. That equates to 10000 complaints.

10,000 out of 7 million is less than 1%.

I'm sure you will not like the numbers I used because it highlights just how few cases are going on, so provide me with what you feel are realistic numbers and we will do the math.


You consider the number 10,000 to be small? umm. ok.


Look at the total % affected. It is extremely small.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]