Diablo III Hacking?

Na the authenticator is not BS. It is a test and proven security protocol that is used in large enterprise corporations know as Two-Form Authentication. But again if the hacker is on your system or has somehow already hacked your server. Then the Two-Authentication is worthless because the hacker is already bypassed it. The weakest link in any network security infrastructure is always the user.

Multi-factor authentication is generally a good idea, but it solves a problem that isn't the problem that’s causing all these peoples accounts to go missing.

One of the ways we did things for a long time was have clients start off by logging on securely, over TLS (such that their credentials were completely unreadable by anyone other than the destination, including your ISP, Wi-Fi observers, and any other malicious 3rd party, if you think I'm full of it read this and this). We'd then drop the secure session and return the original client a cookie, which was used as session state from then on, meaning for the server to know who the client was and that he had properly authenticated we would simply as him for this cookie.

The brain-dead vulnerability this creates is what’s called a "Session Hijack": you intercept that cookie and use it, which fools the server into believing you're the original client.

If this is in fact blizzards problem, as per http://us.battle.net/d3/en/forum/topic/5149539239#4, that’s, for a game company that’s been running one of the largest online communities for 8 years, pretty astonishing.

There’s a long list of well documented and widely deployed solutions to this problem, most enterprises now (including the one I work for), simply never drop the secure connection. You’d have to be using an ancient framework or have made some painful architecture decisions for the change from an unsecured to a secured connection to cause any real problems –aside from dealing with the certificates themselves, which can be tedious.
Having an authenticator doesn't remove you from being hacked when there is some kind of infrastructure problem going on. You are still logging into a service , you are not without an eco-system that is isolated but in fact shared by millions. There will always be a way to hack something like this.

I see where you’re coming from, and I think it’s a good idea to always be on your toes and to always suspect somebody else knows a vulnerability in your codebase that you never thought of. But there are some architectural decisions you can make to limit those openings.

Session hijacking is a vulnerability derived form a mistake most commonly made by newbie developers, that’s why I’m so surprised to see Blizzard fall victim.
...
Hearsay.

It is, but I too once had my WoW account stolen from me (lucky for me I’m terrible at that game so I didn’t have anything anyways). I think I’m about as security conscious as a windows user can get:
  • I've never given any of these passwords away, knowingly at least.
  • I very seldom visit any of Blizzard's sites, and when I have I've never done so by following a link
  • My passwords are random numbers and letters, the shortest being 12 characters long, and, in the case of blizzards domains, never used across domains.
  • I use ESET's nod32 AV
  • All of my software is current (and I verify that with Secunia's PSI --a fantastic utility, I encourage everyone here to use it.)

I'm fairly certain there’s something rotten in blizzard's authentication codebase, and its been lingering for a while.
 
People are posting this "I have an auth and was hacked" nonsense just to bash blizzard or start flame wars or any other bullshit reason on the list. I refuse to believe that on all the forums/msg boards out there, there isn't a post with cold hard proof they where hacked with an auth on their account. It simply hasn't happened.

It's definately believable. I don't think there has ever been a mainstream peice of software with "dongle" style hardware authentificators that hasn't been cracked within a week or two. Nothing is "uncrackable", nor shall it ever be, there is no win all security method, and banks and the like (and compotent people) will use layers of security.
 
Uh, what kind of proof are you looking for? I don't think anyone has set up a video and say 'watch me get hacked'

Plenty of other ways to show, screen shots of the game, etc. If I was legit hacked personally, and I wanted to post about it, I'd take a screen shot of my battlenet page, showing I have an auth registered to the account, 10 seconds in paint blacks out anything you don't want to show. No one is asking for a freakin' video, no reason to be a smart ass.
 
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!
 
Just to shut some of you techies up regarding the authenticator.

Just last night, a friend of mine got his account hacked while using the authenticator. That's a big fucking clue that this is something internal going on. Still don't believe me? Get on the forums over there and read the countless posts of people (who are also tech literate) are also being hacked while using authenticators. Do your research first!

Secondly, for you idiots who are ignorant to the fact of how huge the auction house system is and the countless transactions going on as we speak, there's also real money system that's gonna be implemented soon, that's your biggest incentive right there and unfortunately, Blizzard has been absolutely quiet about this issue, so I'm thinking something is going on with their infrastructure.

It doesn't take a fucking IT specialist to figure out that with hundreds of thousands of credit card transactions involving Diablo related items, you're just attracting the sharks to take advantage of this system. For every noble and honorable person out there who never stolen gum from a candy store as a kid, there's 20 immoral greedy sons a bitches out there who live off stealing and ripping off other people.

I'm sure we'll know more in the coming days, because Blizzard can't keep this issue under wraps for long, but I'd bet a weeks salary their servers have been compromised....
 
It's definately believable. I don't think there has ever been a mainstream peice of software with "dongle" style hardware authentificators that hasn't been cracked within a week or two. Nothing is "uncrackable", nor shall it ever be, there is no win all security method, and banks and the like (and compotent people) will use layers of security.

That’s not quite accurate; I think that you believe the authenticators to be smarter than they are.

All the authenticator is a box with a secret number, called a key, and a routine to access that key. When you ask it for its secret, it mixes some sort of state (sometimes they use the current time, but typically its just an incrementing number) with the original number in a cryptographically irreversible way, to produce a "nonce", a seemingly random string of numbers, 16 or 32 bytes long.

The cleverness to these things is that each time you ask it for its secret it will produce a new seemingly random nonce for you, except that it isn't random. Its totally unpredictable to anyone who doesn’t have the key. The producer of the authenticator knows that sequence because they too have the secret key. The algorithm itself that produces the nonce is called "a hashing algorithm", and is also publically known.

The key itself is top secret: the authenticator itself has no API to access that key directly (meaning, to get it from your authenticator, you'd need a breadboard) and it would be sealed away in a top secret database on the producers end. But if it is ever public, the authenticator is rendered completely useless, as is what happened with Grunman and RSA.

But, fundamentally, there’s no hacking to be done here, since theres nothing to really hack. The public hashing algorithm is hammered on extensively by university's, private companies, and governments. And, as far as we know, the proper implementations are totally un-hackable in any reasonable amount of time.
 
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!

5 bucks for the hardware one from bliz worth getting
 
LOL its not surprising that people are getting hacked... ATM Diablo 3 passwords are not even case sensative. I saw a comment about it and I went and changed my password and sure enough capital letters in a password mean NOTHING. Since when has having a password not register capital letters been acceptable for ANY site?!?!?!?!?!?!?
 
Has Blizzard's password system ever been case sensitive? I recall it being an issue in the past, but my memory is fuzzy.
 

NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.
 
NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.

I cant see where to edit my post. Hence the reply.

We made our passwords well before the required battlenet merge. Apparently once you where forced to link to battlenet, the passwords for battlenet are NOT case sensitive. They where however case sensitive when it was strictly World of Warcraft. I'll still apologize for not knowing I was incorrect.
 
NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.

My BNet password has a healthy mix of upper/lower case characters. I just went to the Battle.net site to log in and intentionally screwed my password and went all lower case. It let me log in after prompting for my authenticator. Tried all caps, and it let me log in fine that time as well.

Talk about disconcerting. :eek:
 
I cant see where to edit my post. Hence the reply.

We made our passwords well before the required battlenet merge. Apparently once you where forced to link to battlenet, the passwords for battlenet are NOT case sensitive. They where however case sensitive when it was strictly World of Warcraft. I'll still apologize for not knowing I was incorrect.

(Can't edit my post, so I'll just add here)

My password was before the BNet merge as well.
 
My BNet password has a healthy mix of upper/lower case characters. I just went to the Battle.net site to log in and intentionally screwed my password and went all lower case. It let me log in after prompting for my authenticator. Tried all caps, and it let me log in fine that time as well.

Talk about disconcerting. :eek:

Christ, for a company that makes/supports one of the largest pay for play online games ever that's not just disconerting, that's negligent and extremely irresponsible.

16 character limit, limited character set that isn't case sensitive for a service that's tied to both monthly credit card information and now a real money auction house. Brilliant!
 
NOT False, I've been playing it for years, It was case sensitive when I made my case sensitive password, as well as the wifes case sensitive password. So unless it CHANGED with the launch of Diablo 3, it's not false.


You may think that, but you are wrong.
You can use googles time range search to find people complaining about it from years ago(pre-account merge).

Now you use your battle.net account to log in to wow as well, so I'm not sure why you would think it would be case sensitive when battle.net itself is not.
 
You may think that, but you are wrong.
You can use googles time range search to find people complaining about it from years ago(pre-account merge).

Now you use your battle.net account to log in to wow as well, so I'm not sure why you would think it would be case sensitive when battle.net itself is not.

Read the rest of the posts champ.
 
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!

There's a restore option. It's been there for at least as long as I can remember (I used the iOS version about a year ago, and I now use the Android version). You need to write down the serial number and restore code, but that's it.
 
I wonder why blizzard don't just put an auth device in the diablo 3 game box and make its use mandatory for all full game players.
 
If the hack involves session spoofing than the password doesn't matter. I can't believe professionals would overlook something as fundamental as securing the session
 
I wonder why blizzard don't just put an auth device in the diablo 3 game box and make its use mandatory for all full game players.

Most people hate hardware keys. Plus a high percentage probably downloaded direct from blizzard. Also added cost.
 
If the hack involves session spoofing than the password doesn't matter. I can't believe professionals would overlook something as fundamental as securing the session

Eh, I can believe it after the Sony fiasco last year?
However, if that is indeed the case it's kind of funny considering how concerned they are with our systems(warden).
 
Most people hate hardware keys. Plus a high percentage probably downloaded direct from blizzard. Also added cost.

True about the digital copies, but I don't think the cost of the auth would make that much of a dent in their bottom line, vs paying people to sort out the results of hacking.

But what I find concerning is the lack of case sensitivity. That is just pure lazyness.

I bet some chinese have managed to hack their server infrastructure just like sony and some other game company hacks.
 
I bet some chinese have managed to hack their server infrastructure just like sony and some other game company hacks.

Than we would be seeing issues with WoW and other Blizzard games. The session stealing issue that's been mentioned previously is almost certainly the culprit.
 
Than we would be seeing issues with WoW and other Blizzard games. The session stealing issue that's been mentioned previously is almost certainly the culprit.

But they might have only hacked the Diablo 3 servers, and not the Battle.net or WoW servers.

Being new servers they might have forgotten to tighten down the hatches or introduced some new software bug.
 
I think people have much worse things to worry about if the only thing stopping them from getting hacked is the authenticator. Read a thread where a guy said he was hacked 3 times, but when he got an authenticator he stopped being hacked. I'm thinking to myself... really? You think you're all fixed up now? You have much worse things to worry about. It's like taking something while you have the flu, so you no longer puke. That doesn't mean you still don't have the flu.
 
Anyone else immensely satisfied about Diablo 3 going online only is having all sorts of trouble?
 
me jober me, d3 seems more like a fanboy cashgrab attempt from bliz cause they didnt really put enough effort into the actual game i think and are hoping for a much higher profit margins from d3
 
If the hack involves session spoofing than the password doesn't matter. I can't believe professionals would overlook something as fundamental as securing the session

I enjoyed all the talk in here regarding the authenticator, password strength, etc. None of that matters in this particular scenario. Yes, those are good ways to strengthen your security posture, but this particular vulnerability appears to deal with session security of public games. From what I've read it's a man-in-the-middle attack where they join a public game, then attempt to impersonate you in order to access your account. So, as acidic said, it's surprising that Blizz didn't have this sort of thing on lockdown already.

So, in addition to having the best password the system will allow you, and an authenticator, the best advice at the moment is to avoid public games for now. Don't join any, don't allow yours to be open.
 
The problem with the authenticator is I am flashing a new Rom onto my phone ever other week and it breaks the authenticator. Otherwise I would use one again. Anyways, I am enjoying the heck out of this game!
Titanium Backup can backup the app data so when you restore the app along with the app data after installing your new ROM, the app loads as if nothing ever happened. The app is none the wiser that it was reinstalled. Open the app up again after restoring it and the data in Titanium Backup and you'll get the screen with the authenticator code to enter for your account.

I did this procedure to "transfer" the app to my tablet. Works great. Now I have two devices that have the authenticator on it.
 
I enjoyed all the talk in here regarding the authenticator, password strength, etc. None of that matters in this particular scenario. Yes, those are good ways to strengthen your security posture, but this particular vulnerability appears to deal with session security of public games. From what I've read it's a man-in-the-middle attack where they join a public game, then attempt to impersonate you in order to access your account. So, as acidic said, it's surprising that Blizz didn't have this sort of thing on lockdown already.

So, in addition to having the best password the system will allow you, and an authenticator, the best advice at the moment is to avoid public games for now. Don't join any, don't allow yours to be open.

The problem is that if they knew that this was happening they would just push out a patch to disable public games.

Their official position is that it's all on the user's end:
http://us.battle.net/d3/en/forum/topic/5149619846?page=29#571
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

However, there have been a lot of reports of people having their stuff taken and then blizzard denying that there was a compromise as well as those who had an authenticator attached and reported the same thing, so who knows.
 
wouldn't be surprised if these same people who have had their gear and gold stolen also installed a .dll injector map hack. Of note also if you read the 20+ page on the official D3 forums, most are noticing the same player names in their recently played list.
 
Anyone else immensely satisfied about Diablo 3 going online only is having all sorts of trouble?

In this case you would still have people bitching because in Diablo 2 the single player and multiplayer were different.

Because it was the first week of launch how many people do you think are rolling multiplayer characters. Meaning that if Diablo 2 was rereleased you would have had the same complaining because people would have been pissed their multiplayer characters were compromised and wouldn't want to restore to starting an all new single player character.

It boggles my mind how people think that the game sold so well for 10 years because of the single player campaign.
 
Hey I was hacked and my computer was secure (new build) I have after this happened installed the authenticator application and still looking for the reason why this happened...

I have found one reference to a session spoof method that basically uses the new account procedure to create a new account but for the final server request replaces parts of the request data with an existing account.

The thinking here is that this method circumvents the normal login/password change mechanics of battle.net and simply updates the user account information.

/Q
 
That's all bullshit. The ONLY way to get hacked with an authenticator is for them to HAVE the thing in their hand. I have the key fob auth, and it works wonders.

Not true. They may have figured out how to simply bypass the authenticator check.
Its like having a hackproof lock on the front door of your house does little good if they figure out how to get the back door open, or crawl through a window, or come down the chimney.

All the authenticator does is provide an alternative logon that cant get keylogged.
If there is a fundamental flaw in the login process that allows them to backdoor it so to speak ..the authenticator isn't worth squat.
 
i think what we need to focus on here is what blizzard has said in there blue post response.

Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password.While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

I know there are users on this very forum that suggest they had a token on there account before it was hacked. I'm not sure what to believe other then my own XP on this. On one hand we have people saying "I had an authenticator and was hacked", and the other is saying "we have yet to investigate a compromise report in which an authenticator was attached beforehand". I personally have had an authenticator on my account since they came out with them and have had NO issues with my account. Been playing wow for 4 years, starcraft since it came out (2 years?) and now diablo.
 
Back
Top