Diablo III Hacking?

MrWizard6600

Supreme [H]ardness
Joined
Jan 15, 2006
Messages
5,779
Na the authenticator is not BS. It is a test and proven security protocol that is used in large enterprise corporations know as Two-Form Authentication. But again if the hacker is on your system or has somehow already hacked your server. Then the Two-Authentication is worthless because the hacker is already bypassed it. The weakest link in any network security infrastructure is always the user.

Multi-factor authentication is generally a good idea, but it solves a problem that isn't the problem that’s causing all these peoples accounts to go missing.

One of the ways we did things for a long time was have clients start off by logging on securely, over TLS (such that their credentials were completely unreadable by anyone other than the destination, including your ISP, Wi-Fi observers, and any other malicious 3rd party, if you think I'm full of it read this and this). We'd then drop the secure session and return the original client a cookie, which was used as session state from then on, meaning for the server to know who the client was and that he had properly authenticated we would simply as him for this cookie.

The brain-dead vulnerability this creates is what’s called a "Session Hijack": you intercept that cookie and use it, which fools the server into believing you're the original client.

If this is in fact blizzards problem, as per http://us.battle.net/d3/en/forum/topic/5149539239#4, that’s, for a game company that’s been running one of the largest online communities for 8 years, pretty astonishing.

There’s a long list of well documented and widely deployed solutions to this problem, most enterprises now (including the one I work for), simply never drop the secure connection. You’d have to be using an ancient framework or have made some painful architecture decisions for the change from an unsecured to a secured connection to cause any real problems –aside from dealing with the certificates themselves, which can be tedious.
Having an authenticator doesn't remove you from being hacked when there is some kind of infrastructure problem going on. You are still logging into a service , you are not without an eco-system that is isolated but in fact shared by millions. There will always be a way to hack something like this.

I see where you’re coming from, and I think it’s a good idea to always be on your toes and to always suspect somebody else knows a vulnerability in your codebase that you never thought of. But there are some architectural decisions you can make to limit those openings.

Session hijacking is a vulnerability derived form a mistake most commonly made by newbie developers, that’s why I’m so surprised to see Blizzard fall victim.
...
Hearsay.

It is, but I too once had my WoW account stolen from me (lucky for me I’m terrible at that game so I didn’t have anything anyways). I think I’m about as security conscious as a windows user can get:
  • I've never given any of these passwords away, knowingly at least.
  • I very seldom visit any of Blizzard's sites, and when I have I've never done so by following a link
  • My passwords are random numbers and letters, the shortest being 12 characters long, and, in the case of blizzards domains, never used across domains.
  • I use ESET's nod32 AV
  • All of my software is current (and I verify that with Secunia's PSI --a fantastic utility, I encourage everyone here to use it.)

I'm fairly certain there’s something rotten in blizzard's authentication codebase, and its been lingering for a while.
 

DeathPrincess

Fully [H]
Joined
May 15, 2010
Messages
18,205
People are posting this "I have an auth and was hacked" nonsense just to bash blizzard or start flame wars or any other bullshit reason on the list. I refuse to believe that on all the forums/msg boards out there, there isn't a post with cold hard proof they where hacked with an auth on their account. It simply hasn't happened.

It's definately believable. I don't think there has ever been a mainstream peice of software with "dongle" style hardware authentificators that hasn't been cracked within a week or two. Nothing is "uncrackable", nor shall it ever be, there is no win all security method, and banks and the like (and compotent people) will use layers of security.
 

FM_Fixxxer

Limp Gawd
Joined
Mar 2, 2012
Messages
303
Uh, what kind of proof are you looking for? I don't think anyone has set up a video and say 'watch me get hacked'

Plenty of other ways to show, screen shots of the game, etc. If I was legit hacked personally, and I wanted to post about it, I'd take a screen shot of my battlenet page, showing I have an auth registered to the account, 10 seconds in paint blacks out anything you don't want to show. No one is asking for a freakin' video, no reason to be a smart ass.
 

Hitmanthe3rd

Limp Gawd
Joined
Dec 13, 2010
Messages
459
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!
 

Ski

[H]ard|Gawd
Joined
Jun 21, 2008
Messages
1,038
Just to shut some of you techies up regarding the authenticator.

Just last night, a friend of mine got his account hacked while using the authenticator. That's a big fucking clue that this is something internal going on. Still don't believe me? Get on the forums over there and read the countless posts of people (who are also tech literate) are also being hacked while using authenticators. Do your research first!

Secondly, for you idiots who are ignorant to the fact of how huge the auction house system is and the countless transactions going on as we speak, there's also real money system that's gonna be implemented soon, that's your biggest incentive right there and unfortunately, Blizzard has been absolutely quiet about this issue, so I'm thinking something is going on with their infrastructure.

It doesn't take a fucking IT specialist to figure out that with hundreds of thousands of credit card transactions involving Diablo related items, you're just attracting the sharks to take advantage of this system. For every noble and honorable person out there who never stolen gum from a candy store as a kid, there's 20 immoral greedy sons a bitches out there who live off stealing and ripping off other people.

I'm sure we'll know more in the coming days, because Blizzard can't keep this issue under wraps for long, but I'd bet a weeks salary their servers have been compromised....
 

MrWizard6600

Supreme [H]ardness
Joined
Jan 15, 2006
Messages
5,779
It's definately believable. I don't think there has ever been a mainstream peice of software with "dongle" style hardware authentificators that hasn't been cracked within a week or two. Nothing is "uncrackable", nor shall it ever be, there is no win all security method, and banks and the like (and compotent people) will use layers of security.

That’s not quite accurate; I think that you believe the authenticators to be smarter than they are.

All the authenticator is a box with a secret number, called a key, and a routine to access that key. When you ask it for its secret, it mixes some sort of state (sometimes they use the current time, but typically its just an incrementing number) with the original number in a cryptographically irreversible way, to produce a "nonce", a seemingly random string of numbers, 16 or 32 bytes long.

The cleverness to these things is that each time you ask it for its secret it will produce a new seemingly random nonce for you, except that it isn't random. Its totally unpredictable to anyone who doesn’t have the key. The producer of the authenticator knows that sequence because they too have the secret key. The algorithm itself that produces the nonce is called "a hashing algorithm", and is also publically known.

The key itself is top secret: the authenticator itself has no API to access that key directly (meaning, to get it from your authenticator, you'd need a breadboard) and it would be sealed away in a top secret database on the producers end. But if it is ever public, the authenticator is rendered completely useless, as is what happened with Grunman and RSA.

But, fundamentally, there’s no hacking to be done here, since theres nothing to really hack. The public hashing algorithm is hammered on extensively by university's, private companies, and governments. And, as far as we know, the proper implementations are totally un-hackable in any reasonable amount of time.
 

Elios

Supreme [H]ardness
Joined
Aug 12, 2004
Messages
7,259
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!

5 bucks for the hardware one from bliz worth getting
 

kodan

Limp Gawd
Joined
Apr 7, 2005
Messages
437
LOL its not surprising that people are getting hacked... ATM Diablo 3 passwords are not even case sensative. I saw a comment about it and I went and changed my password and sure enough capital letters in a password mean NOTHING. Since when has having a password not register capital letters been acceptable for ANY site?!?!?!?!?!?!?
 

RealityCrunch

[H]ard|Gawd
Joined
Nov 16, 2011
Messages
1,393
Has Blizzard's password system ever been case sensitive? I recall it being an issue in the past, but my memory is fuzzy.
 

FM_Fixxxer

Limp Gawd
Joined
Mar 2, 2012
Messages
303

NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.
 

FM_Fixxxer

Limp Gawd
Joined
Mar 2, 2012
Messages
303
NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.

I cant see where to edit my post. Hence the reply.

We made our passwords well before the required battlenet merge. Apparently once you where forced to link to battlenet, the passwords for battlenet are NOT case sensitive. They where however case sensitive when it was strictly World of Warcraft. I'll still apologize for not knowing I was incorrect.
 

jlinker

Limp Gawd
Joined
Jul 23, 2005
Messages
221
NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.

My BNet password has a healthy mix of upper/lower case characters. I just went to the Battle.net site to log in and intentionally screwed my password and went all lower case. It let me log in after prompting for my authenticator. Tried all caps, and it let me log in fine that time as well.

Talk about disconcerting. :eek:
 

jlinker

Limp Gawd
Joined
Jul 23, 2005
Messages
221
I cant see where to edit my post. Hence the reply.

We made our passwords well before the required battlenet merge. Apparently once you where forced to link to battlenet, the passwords for battlenet are NOT case sensitive. They where however case sensitive when it was strictly World of Warcraft. I'll still apologize for not knowing I was incorrect.

(Can't edit my post, so I'll just add here)

My password was before the BNet merge as well.
 

Bomo

Gawd
Joined
Mar 9, 2010
Messages
902
My BNet password has a healthy mix of upper/lower case characters. I just went to the Battle.net site to log in and intentionally screwed my password and went all lower case. It let me log in after prompting for my authenticator. Tried all caps, and it let me log in fine that time as well.

Talk about disconcerting. :eek:

Christ, for a company that makes/supports one of the largest pay for play online games ever that's not just disconerting, that's negligent and extremely irresponsible.

16 character limit, limited character set that isn't case sensitive for a service that's tied to both monthly credit card information and now a real money auction house. Brilliant!
 

Oomps

Gawd
Joined
Sep 6, 2006
Messages
789
NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.


You may think that, but you are wrong.
You can use googles time range search to find people complaining about it from years ago(pre-account merge).

Now you use your battle.net account to log in to wow as well, so I'm not sure why you would think it would be case sensitive when battle.net itself is not.
 

FM_Fixxxer

Limp Gawd
Joined
Mar 2, 2012
Messages
303
You may think that, but you are wrong.
You can use googles time range search to find people complaining about it from years ago(pre-account merge).

Now you use your battle.net account to log in to wow as well, so I'm not sure why you would think it would be case sensitive when battle.net itself is not.

Read the rest of the posts champ.
 

Bomo

Gawd
Joined
Mar 9, 2010
Messages
902
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!

There's a restore option. It's been there for at least as long as I can remember (I used the iOS version about a year ago, and I now use the Android version). You need to write down the serial number and restore code, but that's it.
 

ljbade

Limp Gawd
Joined
Feb 17, 2010
Messages
261
I wonder why blizzard don't just put an auth device in the diablo 3 game box and make its use mandatory for all full game players.
 

acidic

Gawd
Joined
Jun 25, 2005
Messages
952
If the hack involves session spoofing than the password doesn't matter. I can't believe professionals would overlook something as fundamental as securing the session
 

DeathPrincess

Fully [H]
Joined
May 15, 2010
Messages
18,205
I wonder why blizzard don't just put an auth device in the diablo 3 game box and make its use mandatory for all full game players.

Most people hate hardware keys. Plus a high percentage probably downloaded direct from blizzard. Also added cost.
 

Oomps

Gawd
Joined
Sep 6, 2006
Messages
789
If the hack involves session spoofing than the password doesn't matter. I can't believe professionals would overlook something as fundamental as securing the session

Eh, I can believe it after the Sony fiasco last year?
However, if that is indeed the case it's kind of funny considering how concerned they are with our systems(warden).
 

ljbade

Limp Gawd
Joined
Feb 17, 2010
Messages
261
Most people hate hardware keys. Plus a high percentage probably downloaded direct from blizzard. Also added cost.

True about the digital copies, but I don't think the cost of the auth would make that much of a dent in their bottom line, vs paying people to sort out the results of hacking.

But what I find concerning is the lack of case sensitivity. That is just pure lazyness.

I bet some chinese have managed to hack their server infrastructure just like sony and some other game company hacks.
 

EvanH

Limp Gawd
Joined
May 6, 2009
Messages
128
I bet some chinese have managed to hack their server infrastructure just like sony and some other game company hacks.

Than we would be seeing issues with WoW and other Blizzard games. The session stealing issue that's been mentioned previously is almost certainly the culprit.
 

ljbade

Limp Gawd
Joined
Feb 17, 2010
Messages
261
Than we would be seeing issues with WoW and other Blizzard games. The session stealing issue that's been mentioned previously is almost certainly the culprit.

But they might have only hacked the Diablo 3 servers, and not the Battle.net or WoW servers.

Being new servers they might have forgotten to tighten down the hatches or introduced some new software bug.
 

PornoSatan

2[H]4U
Joined
Sep 3, 2004
Messages
3,493
I think people have much worse things to worry about if the only thing stopping them from getting hacked is the authenticator. Read a thread where a guy said he was hacked 3 times, but when he got an authenticator he stopped being hacked. I'm thinking to myself... really? You think you're all fixed up now? You have much worse things to worry about. It's like taking something while you have the flu, so you no longer puke. That doesn't mean you still don't have the flu.
 

jober1

Limp Gawd
Joined
Oct 13, 2011
Messages
204
Anyone else immensely satisfied about Diablo 3 going online only is having all sorts of trouble?
 

mt2e

Limp Gawd
Joined
Feb 26, 2011
Messages
392
me jober me, d3 seems more like a fanboy cashgrab attempt from bliz cause they didnt really put enough effort into the actual game i think and are hoping for a much higher profit margins from d3
 

cyberdeity

Weaksauce
Joined
May 19, 2005
Messages
123
If the hack involves session spoofing than the password doesn't matter. I can't believe professionals would overlook something as fundamental as securing the session

I enjoyed all the talk in here regarding the authenticator, password strength, etc. None of that matters in this particular scenario. Yes, those are good ways to strengthen your security posture, but this particular vulnerability appears to deal with session security of public games. From what I've read it's a man-in-the-middle attack where they join a public game, then attempt to impersonate you in order to access your account. So, as acidic said, it's surprising that Blizz didn't have this sort of thing on lockdown already.

So, in addition to having the best password the system will allow you, and an authenticator, the best advice at the moment is to avoid public games for now. Don't join any, don't allow yours to be open.
 

trparky

Gawd
Joined
Jul 23, 2009
Messages
971
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!
Titanium Backup can backup the app data so when you restore the app along with the app data after installing your new ROM, the app loads as if nothing ever happened. The app is none the wiser that it was reinstalled. Open the app up again after restoring it and the data in Titanium Backup and you'll get the screen with the authenticator code to enter for your account.

I did this procedure to "transfer" the app to my tablet. Works great. Now I have two devices that have the authenticator on it.
 

Oomps

Gawd
Joined
Sep 6, 2006
Messages
789
I enjoyed all the talk in here regarding the authenticator, password strength, etc. None of that matters in this particular scenario. Yes, those are good ways to strengthen your security posture, but this particular vulnerability appears to deal with session security of public games. From what I've read it's a man-in-the-middle attack where they join a public game, then attempt to impersonate you in order to access your account. So, as acidic said, it's surprising that Blizz didn't have this sort of thing on lockdown already.

So, in addition to having the best password the system will allow you, and an authenticator, the best advice at the moment is to avoid public games for now. Don't join any, don't allow yours to be open.

The problem is that if they knew that this was happening they would just push out a patch to disable public games.

Their official position is that it's all on the user's end:
http://us.battle.net/d3/en/forum/topic/5149619846?page=29#571
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

However, there have been a lot of reports of people having their stuff taken and then blizzard denying that there was a compromise as well as those who had an authenticator attached and reported the same thing, so who knows.
 

burnin8r

[H]ard|Gawd
Joined
Nov 19, 2006
Messages
1,211
wouldn't be surprised if these same people who have had their gear and gold stolen also installed a .dll injector map hack. Of note also if you read the 20+ page on the official D3 forums, most are noticing the same player names in their recently played list.
 

roaf85

2[H]4U
Joined
Jan 8, 2005
Messages
2,766
Anyone else immensely satisfied about Diablo 3 going online only is having all sorts of trouble?

In this case you would still have people bitching because in Diablo 2 the single player and multiplayer were different.

Because it was the first week of launch how many people do you think are rolling multiplayer characters. Meaning that if Diablo 2 was rereleased you would have had the same complaining because people would have been pissed their multiplayer characters were compromised and wouldn't want to restore to starting an all new single player character.

It boggles my mind how people think that the game sold so well for 10 years because of the single player campaign.
 

eneq

Limp Gawd
Joined
Aug 7, 2009
Messages
144
Hey I was hacked and my computer was secure (new build) I have after this happened installed the authenticator application and still looking for the reason why this happened...

I have found one reference to a session spoof method that basically uses the new account procedure to create a new account but for the final server request replaces parts of the request data with an existing account.

The thinking here is that this method circumvents the normal login/password change mechanics of battle.net and simply updates the user account information.

/Q
 

gopher0x

n00b
Joined
Nov 2, 2005
Messages
39
That's all bullshit. The ONLY way to get hacked with an authenticator is for them to HAVE the thing in their hand. I have the key fob auth, and it works wonders.

Not true. They may have figured out how to simply bypass the authenticator check.
Its like having a hackproof lock on the front door of your house does little good if they figure out how to get the back door open, or crawl through a window, or come down the chimney.

All the authenticator does is provide an alternative logon that cant get keylogged.
If there is a fundamental flaw in the login process that allows them to backdoor it so to speak ..the authenticator isn't worth squat.
 

Orddie

2[H]4U
Joined
Dec 20, 2010
Messages
3,179
i think what we need to focus on here is what blizzard has said in there blue post response.

Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password.While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

I know there are users on this very forum that suggest they had a token on there account before it was hacked. I'm not sure what to believe other then my own XP on this. On one hand we have people saying "I had an authenticator and was hacked", and the other is saying "we have yet to investigate a compromise report in which an authenticator was attached beforehand". I personally have had an authenticator on my account since they came out with them and have had NO issues with my account. Been playing wow for 4 years, starcraft since it came out (2 years?) and now diablo.
 
Top