Diablo® III

Session Spoofing

100 Gnome Warrior
17215
Posts: 6,096
The amount of fanboi fapping in this thread is disturbing.

I've used the same password for over a decade, and am anxiously awaiting to be hacked. I don't even care if they wipe out my account, I hope someone tries (and succeeds) in destroying my game.

Why? Because I DO have an authenticator, and I do NOT believe it is the only way to keep someone out of your account. But, until it happens, we have to continue to listen to Belittle Bobby and his cohort of friends, constantly bash upset players about how dumb they supposedly are, when they really have no clue at all about what the customer is or isn't doing, and is constantly repeating the same thing as everyone else.

"LOL, the world isn't round Galileo. You're dumb for thinking it is. Nooooob."

Same crowd, different era.
Posts: 277
Lylirra for the love of god please suggest this as an authetication method :

Rift's Coin-Lock system for D3

Basically, Blizz records system stats/IP address location of the player. If a different computer or wildly different IP address connects to battle.net using the account credentials, the account becomes "locked" and can only be unlocked via a code sent to the persons email.

This way, if a Mac user from New York gets compromised by some Dell computer user in China, the account will lock and can only be unlocked via a code sent to the persons email.


This is actually, the best suggestion, by far, that I've read on these forums.

+1 to intelligence.


Anyone who has used STEAM knows exactly what this is like. Please Blizzard have a look at how Valve's STEAM does it and do the same thing. At the very LEAST it would slow them down.
100 Tauren Druid
15345
Posts: 760
So a blue comes in here and clearly says its not happening, but people still refuse to believe they somehow are incompetent at computer security.

These would probably be the same people that think we never landed on the moon, or that the President was never born in the country.
Posts: 7,113
As for people who feel safe with an authenticator, take note that Examiner Mark Casino was hacked even though he was using one, so exercise extreme caution when playing Diablo III

Let's get another thing perfectly clear: Everything Blizzard says will be about protecting the resources of the company.

But they would never say anything about this, any company would deny deny deny.

SOunds logical to me, if your caught with your hand in the cookie jar...deny.
Not saying one way or another if this is true or not, but I'm not stupid either, and I will not blindly follow anyone.


You need critical thinking skills to apply logic, you appear to be lacking in both areas.
n fact, I'm not assuming that. I mentioned neither positive nor negative feedback. Only that, at best, the sampling is subject to referral bias because it only samples the percentage of the player base that posts to the forums.

8)

love,
shmoo


So you are suggesting that people who post on forums have different reactions to games than those who do not?


I'm not suggesting anything other than what I've said.

You're welcome to continue to try and infer deeper meanings if you like, but it wouldn't be representative of my motives. 8)

love,
shmoo
Posts: 1,813


Yeah, I work for a mid-size company that manufactures storage equipment (~1.5 Billion in revenue) and our production systems don't have "instant" backups.


I suppose at my job we may have more mission critical systems than some places, but I would argue it is closer to Diablo's servers than typical business servers. We twice daily backup to offsite locations but our hpc, server farm and data center where I work we certainly have instant triple redundancy.


I would be willing to bet they aren't spending that kind of coin on their data. Gamers think this stuff is important, but in the grand scheme of things I doubt it is as mission critical as the data you are talking about. IT does not generate revenue and a system like the one you are talking about robust enough to handle the (likely) petabytes of data would be very expensive.

Where I am we have ~2.5 pb of storage (in our data center, not counting our OEM labs and other locations) of which I would consider ~10 TB to be "mission critical" (EBS, B2B, customer transaction data, etc) and we don't have "instant" restores. 1 weekly full and nightly incrementals.
Posts: 277
06/05/2012 02:00 PMPosted by banecrushr
As for people who feel safe with an authenticator, take note that Examiner Mark Casino was hacked even though he was using one,


Has Mr. Casino contacted Blizzard about this? Can he post the e-mail here as proof as to when he was setup with his Authenticator? Until someone claims they were hacked, posts the e-mail, posts a response from Blizzard about it, it didn't happen period!
Edited by FreeJACLive#1310 on 6/5/2012 2:11 PM PDT

Dude, what?

Just stop posting.


........

Aww so debunking your session jacking theory hurt u much?

No, but what you're saying makes no sense. Items are not stored on the client, but on Blizzards servers. Your whole scenario makes no sense whatsoever.
It's funny how people still doubt that it's a weakness on Blizzard's end.

1) The sheer number of people reporting that they've been hacked is staggering, much more so than what would be considered normal. Just compare it to the number of reports of accounts being hacked from World of Warcraft, a game with 10 million+ players. If that game has more players yet somehow much less reports, you know something is up.

2) How come the people that got their account hacked never had any of their non-D3 accounts hacked as well? No one has reported getting their paypal, email, bank accounts, forums, or other game accounts hacked - and I know many people tend to use the same password or set of passwords, so why isn't this the case?

3) There have been multiple reports of people being hacked while using their authenticators. Some of these are by credible journalists. This alone should be sufficient evidence.

4) Almost all of the individuals who've been hacked reported the same set of usernames that they don't recognize on their friend's list. This means it's the same group of people that are hacking these accounts. Now what's more likely, that a group of individuals found an exploit and are hacking thousands of accounts without digression? Or that these individuals somehow managed to install a keylog on thousands of computers, yet choose to only steal their D3 items and not their paypal/bank/email accounts?


Incorrect. What's funny is that people still spout these same bull points when trying to insist the issue is somewhere other than on the end user system. But I'll bite:

1. The "sheer number" you talk about is nothing new, considering the huge rush of compromises whenever a new WoW expansion hits. Actually, I would expect it to be worse, if only for the fact that there are lots of people who've never dealt with this type of system before, so have even less knowledge about security.

2. Chances are good that many players did get their email accounts compromised as well. That will likely result in another wave of attacks down the road on accounts that didn't fully secure themselves. As to D3 accounts only being impacted, we don't know that for sure yet. But, the most likely scenario as to why this would take place is because those behind it are GOLD SELLERS. Since it's gold they want, and have to work against the clock, that's what they focus on.

3. These "reports" have already been debunked. Not to mention "credible journalists" is an oxymoron.

4. I've worked in cyber-security for the past few years, mainly dealing with account compromises through certain social networks. Every single incident we dealt with was caused by the same things: Phishing emails (roughly 90-95%) and keyloggers. Interestingly enough, all of the compromises were coming from the same locations in third world countries, which told us it was the same couple groups behind all of them.

So while I feel it is certainly possible that there is a breach somewhere inside Blizz security, I know for a fact that there are huge numbers of people out there dumb enough to install keyloggers and get phished.

I like how you linked an article that shows it's only relevant to websites. HTTP and cookies, eh?

People haven't even been able to prove that Diablo 3 uses sessions, never mind if it can be hijacked or not. What people have found is that Diablo 3 uses persistent TCP connections, which doesn't use sessions.
I don't think you're using that term correctly... Persistent connection means it leaves the connection open to receive/send multiple request/response, rather than send a new connection request for every single request. A session can be an example of a persistent connection.


Look at the client implemention for rfc 959. There is a communication connection that handles requests and maintains authentication, and subsequent connections created after sending a request and connection type to the server. I just finished a custom implementation of this rfc in a few different languages.

In all likelihood, battlenet in game operates in a similar fashion, making proposed session attacks useless. You can still refer to this as a session, however there is no session id with which to steal here. You would have to hijack the authentication socket, which would mean that you are basically 100% in control of a users pc anyway.

Battlenet on the web uses sessions, which are destroyed whenenever a new ip address is found.

So most usrs saying that in game battlenet doesnt even use sessions are probably correct. I have been combating the session hijacking theory since it would still be possible to gain access to the website with it. Still, getting website acces does absolutely nothing for you.
Edited by bejayel#1923 on 6/5/2012 2:12 PM PDT
Posts: 82
So a blue comes in here and clearly says its not happening, but people still refuse to believe they somehow are incompetent at computer security.

These would probably be the same people that think we never landed on the moon, or that the President was never born in the country.


No, we've just seen plenty of instances of companies/products that are probably much more security oriented than Bliz/D3 experience exploits. It's rare, but it happens, and is not some fairy-land distant possibility.
100 Gnome Warrior
17215
Posts: 6,096
So a blue comes in here and clearly says its not happening, but people still refuse to believe they somehow are incompetent at computer security.

These would probably be the same people that think we never landed on the moon, or that the President was never born in the country.

And you're the same group of people who laughed at Galileo, and told him the Earth was really flat, because someone else said so, not because of any proof you have of your own.

It's easy to get on the bandwagon. It's hard to get off it and say, "Wait a minute, something is wrong here."
Posts: 753
06/05/2012 12:08 PMPosted by MutantMonkey
Do not allow your ignorance based fears to cause you to make silly statements. Research the world around you and make logical conclusions.


This statement is basically blasphemy and heresy on these forums.

However it is the best advice I have seen in weeks.
100 Gnome Warrior
17215
Posts: 6,096
06/05/2012 02:09 PMPosted by Tycho
This statement is basically blasphemy and heresy on these forums.

Ain't that the truth. I'm not even going to waste any more time trying to debate with these sheep.

No, but what you're saying makes no sense. Items are not stored on the client, but on Blizzards servers. Your whole scenario makes no sense whatsoever.


no but the ids are resident in memory. And its not like you cant override the nm u know what keep beleveing that session jacking is happening lol....

Which IDs are you talking about? I'm not quite following you. Did I ever say I believe session hijacking in D3 was real?
Posts: 390
So a blue comes in here and clearly says its not happening, but people still refuse to believe they somehow are incompetent at computer security.

These would probably be the same people that think we never landed on the moon, or that the President was never born in the country.

And you're the same group of people who laughed at Galileo, and told him the Earth was really flat, because someone else said so, not because of any proof you have of your own.

It's easy to get on the bandwagon. It's hard to get off it and say, "Wait a minute, something is wrong here."


Galileo had proof.

There has been zero proof of any session hijacking, or any ingame exploits that causes people to lose their account.
100 Tauren Druid
15345
Posts: 760
So a blue comes in here and clearly says its not happening, but people still refuse to believe they somehow are incompetent at computer security.

These would probably be the same people that think we never landed on the moon, or that the President was never born in the country.

And you're the same group of people who laughed at Galileo, and told him the Earth was really flat, because someone else said so, not because of any proof you have of your own.

It's easy to get on the bandwagon. It's hard to get off it and say, "Wait a minute, something is wrong here."


In this case its the people blaming blizzard would be the ones saying the earth is flat, and the rest of us are trying not to die from laughing at you idiots.
90 Undead Warrior
15325
Posts: 2,973
So a blue comes in here and clearly says its not happening, but people still refuse to believe they somehow are incompetent at computer security.

These would probably be the same people that think we never landed on the moon, or that the President was never born in the country.

And you're the same group of people who laughed at Galileo, and told him the Earth was really flat, because someone else said so, not because of any proof you have of your own.

It's easy to get on the bandwagon. It's hard to get off it and say, "Wait a minute, something is wrong here."


I'm not sure about you, but I wasn't alive when Galileo was alive, so I couldn't tell him that he was wrong. The difference between Galileo and you though is that he had proof that the earth wasn't flat. You don't have proof that this is one giant conspiracy.
Edited by Freese#1183 on 6/5/2012 2:14 PM PDT
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]