Diablo® III

Session Spoofing

The amount of fanboi fapping in this thread is disturbing.

I've used the same password for over a decade, and am anxiously awaiting to be hacked. I don't even care if they wipe out my account, I hope someone tries (and succeeds) in destroying my game.

Why? Because I DO have an authenticator, and I do NOT believe it is the only way to keep someone out of your account. But, until it happens, we have to continue to listen to Belittle Bobby and his cohort of friends, constantly bash upset players about how dumb they supposedly are, when they really have no clue at all about what the customer is or isn't doing, and is constantly repeating the same thing as everyone else.

"LOL, the world isn't round Galileo. You're dumb for thinking it is. Nooooob."

Same crowd, different era.


"you should believe these guys making baseless statements instead of those guys making baseless statements."

true brilliance.

until someone can provide a PoC for session spoofing or any other attack vector that isn't the users responsibility it is irrational to claim that the game is vulnerable to such attacks. extraordinary claims require extraordinary evidence, and all that. someone hears a security related phrase and repeats it ad nauseum, as if that gives it any credence. maybe one day people will learn to think for themselves.
85 Worgen Rogue
4015
Here is the link, it contains everything you need to know, read before it is taken down.

http://www.cinemablend.com/games/Diablo-3-Session-Spoofing-Real-Do-Join-Public-Games-43162.html


In the end, the post will be taken down because of the fact it's against forum rules to create a thread just to link to anotehr site.

..however the OP will cry and try to say otherwise.
Thank you for the update. Continued reassurance is appreciated as there are still many people who are afraid to join public games because of potential security threats.

06/05/2012 11:18 AMPosted by Lylirra
This may be a bit TL;DR, but I want to try to address as much here as possible...


06/05/2012 11:18 AMPosted by Lylirra
TL;DR


It's disheartening to see this "code" in any (even semi-)official communications from a business I patronize.

Please be aware that many of us will always appreciate the 100% full, unabridged version of events, and never complain that it is "too long to read". (And shake our heads in wonder at that very notion.)

It is a dangerous road to go down, this "catering to people who want less information"...

To issue a summarized version of events, over a broad-casting medium suitable for the masses who claim to care, but don't really want to take the time to engage with a subject, might I suggest Twitter, as it seems purpose-built for such vulgar trivialities?
06/05/2012 02:00 PMPosted by banecrushr
As for people who feel safe with an authenticator, take note that Examiner Mark Casino was hacked even though he was using one, so exercise extreme caution when playing Diablo III
He has never clarified that he was using a functional authenticator.

The fact that he never specifies it is a big hint that he doesn't even know there's a difference.

I'm frankly amazed that people can use the "dial-in authenticator" and think it's working when Diablo 3 never asks you to dial in.
06/05/2012 12:05 PMPosted by Lylirra
The underlined part was never a part of the last few answers like this, in which i've seen this post 3 times now i think?


We've been clarifying information regarding the Dial-in Authenticator for some time now. Just for reference, here are a few recent posts:

http://us.battle.net/d3/en/forum/topic/5149540487#3

http://us.battle.net/d3/en/forum/topic/5270830422#2

http://us.battle.net/d3/en/forum/topic/5271780665?page=3#50

(This information is also in the Dial-in Authenticator FAQ.)


Ok, Point taken. Next question is...
If Blizzard has known about an issue with the Dial-in Authenticator, what POA's have been put in place to combat the issue? If nothing, than why hasn't the Dial-in Authenticator been removed until a fix can be made for it? Is the Dial-in something that costs people money to use?

I haven't been hacked, nor never claimed to be. Companies usually only use issue avoidance tactics while trying to issue a solution internally, yet people are still claiming to have been hacked.

IF the authenticators are the best way to avoid an issue, than are the people who have been affected been offered one at a reduced price/free one time issue?
It's disheartening to see this "code" in any (even semi-)official communications from a business I patronize.


Get over yourself.
I love the wording here. Gives the blizbots "proof" of how effective the authenticator is, but actually says nothing


What proof do you want?
the solution is very simple but Blizzard is just trying to get as much money they can get from their cusomers. IF a person would be hacked/spoofed , Blizzard could and should investigate the log files and they would know in an instant where the money would have gone to and therefore could investigate the owner of those accounts where the items/gold were transferred to and confirm their history. Since the connection from your PC to battlenet and from there a public is created ,there is NO WAY IN INFERNO. People can hack you !
BAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!!!!! Blizzard just said you can't fix stupid!! roflmao
90 Undead Warrior
15325
06/05/2012 02:16 PMPosted by Fayul
We've stated this several times, but in all of the individual Diablo III-related compromise cases we've investigated thus far, none have occurred after a physical Battle.net Authenticator or Battle.net Mobile Authenticator app was attached to the player's account.


I love the wording here. Gives the blizbots "proof" of how effective the authenticator is, but actually says nothing


How does that tell you nothing? He explicitly states that no one with an authenticator (mobile or physical) has been hacked. How can anyone possibly spin this any other way?
06/05/2012 01:16 PMPosted by Khagan

Got proof? Of course not. And authenticators are indeed part of the session. You can't create a session without passing an authenticator check.

Otherwise, how would you be able to ah...login?


LOL. Keep digging that hole. Once you authenticate the session is created. You don't keep authenticating over and over. If you could session spoof the fact that an authenticator was used during the authentication process is now irrelevant because you'd be stealing the session and bypassing the authentication process altogether. It's funny when people don't even understand basic security principles try to talk like they do.

Says the person who doesn't understand basic security. Authenticators are on a timed system, we use the same system as blizzard as part of our 3 factor authentication for work. I have a Vasco FOB, and I have a biometrics key. And then I still have to get a secondary key from the floor security adviser to get access to our server room.

All code keys become invalid after 30 seconds. You can't spoof something when the key becomes invalid after it's been tied to the ID. How do I know? Because I tried when I installed the system where I work. Doesn't work. Go ahead, find a session ID, try it. It'll ask you for a new authenticator code.
Thank you for the update. Continued reassurance is appreciated as there are still many people who are afraid to join public games because of potential security threats.

This may be a bit TL;DR, but I want to try to address as much here as possible...


TL;DR


It's disheartening to see this "code" in any (even semi-)official communications from a business I patronize.

Please be aware that many of us will always appreciate the 100% full, unabridged version of events, and never complain that it is "too long to read". (And shake our heads in wonder at that very notion.)

It is a dangerous road to go down, this "catering to people who want less information"...

To issue a summarized version of events, over a broad-casting medium suitable for the masses who claim to care, but don't really want to take the time to engage with a subject, might I suggest Twitter, as it seems purpose-built for such vulgar trivialities?

Or maybe I misunderstood you ranting about something you don't like rather than what is there. Either way, carry on.
Edited by Myles#1457 on 6/5/2012 2:21 PM PDT
85 Goblin Shaman
6290
06/05/2012 02:17 PMPosted by Virgo4Ever
I love the wording here. Gives the blizbots "proof" of how effective the authenticator is, but actually says nothing


What proof do you want?


Like I said, its all in the wording. I will say this though: It definatly is possible to get hacked with an authenticator. It happened to my wow account last summer.

And you're the same group of people who laughed at Galileo, and told him the Earth was really flat, because someone else said so, not because of any proof you have of your own.

It's easy to get on the bandwagon. It's hard to get off it and say, "Wait a minute, something is wrong here."


I'm not sure about you, but I wasn't alive when Galileo was alive, so I couldn't tell him that he was wrong. The difference between Galileo and you though is that he had proof that the earth wasn't flat. You don't have proof that this is one giant conspiracy.


They think that .5% of the player base being hacked constitutes definitive proof of a hack happening.

As was pointed out, there is no way that session hijacking a game is even possible. There is no session id to hijack. I will maybe try to prove it, but most likely scenario is that the authentication socket remains encrypted for the duration of its life, meaning there is little usable information to see. I would start peering in to memory,but i fear warden wouldnt like that.
85 Goblin Shaman
6290
06/05/2012 02:18 PMPosted by Freese


I love the wording here. Gives the blizbots "proof" of how effective the authenticator is, but actually says nothing


How does that tell you nothing? He explicitly states that no one with an authenticator (mobile or physical) has been hacked. How can anyone possibly spin this any other way?


The blue said, that noone with an authenticator has been investigated....... l2comprehnd
90 Undead Warrior
15325
06/05/2012 02:19 PMPosted by Fayul


What proof do you want?


Like I said, its all in the wording. I will say this though: It definatly is possible to get hacked with an authenticator. It happened to my wow account last summer.


Blizzard also said that it's not a fool-proof measure. I'm willing to bet you had tons of malware on your computer from all of the Furry p o r n you download. There have been no reported incidents of someone with an authenticator being hacked in Diablo 3.
I'm just loving this thread.

My favorite is two pages after the blue someone complains about a blue replying to a worthless thread instead of his pressing issues and then three pages after you get someone complaining that the answer was a cut and paste and the blue didn't spend enough time writing it.

Just to show you just can't win.

I urge people not to use the authenticators, these threads are too entertaining.

And for those saying WoW accounts did not get hacked, most of the people I know playing WoW have been hacked at some point, none after they got an authenticator.
Like I said, its all in the wording. I will say this though: It definatly is possible to get hacked with an authenticator. It happened to my wow account last summer.


Tech support has admitted that few scant few WoW accounts were hacked with Authenticators but that those few were literally over-brimming with spyware and keylogers.

Also everyone, Lylirra is a SHE not a HE.
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]