"an exploit was discovered by duplicating a session ID
basically, if you join a public game with people, they can view your session ID and spoof it to login as you without need for a password or email or anyting
if you play with people, try not to play in public games bro, only with people you know"

"apparently the EU servers went down last night
and when they came back on, many accounts had lost items / gold
lemme find this link for you
http://www.eurogamer.net/articles/2012-05-...nd-items-stolen
here, read that"


SOS = http://us.battle.net/d3/en/forum/topic/5149539239

Blizzard's official statement/reply makes me go

fark dem shiat!~
luckily i rarely play with them strangers..

luckily i not yet buy D3 to play...

fk, lucky i only join lyners private game. this is a mega loop hole no wonder the guys get hacked state even got authenticator still get hacked.

wow, imagine if this happen with RMAH, how blizzard is going to compensate the dmg?

This post has been edited by sai86: May 22 2012, 06:03 PM

Fcking hell scary man...imagine u have super rare item and legendary item and a million of gold... And a few max lvl character inside ...holy mother of god...

speak of hacking, i m trying to attach mobile authenticator, downloaded the apps but when i input the serial keys it keep saying the serial key is wrong

anyone have this before?

Happened to me today. Tried to click the refresh/sync button on left-bottom corner?

holy cow... no more public games for me.

lol..luckily i m just started

mayb thats y RMAH still not launch until now

hmmm? u mean refresh in my iphone or?

i haven't start pub game yet..solo all the way

lol, so much for 'always online anti cheat' bla bla

Yeah.. today when I tried to log-in to my Battle.net at their website, the authentication always fail and I wondered why.. clicked the refresh at my phone, numbers updated and can login already

oh okay, so urs are actually authenticator code but not serial key issue la.

i m trying to attach, the serial code displayed cannot be used n i tried to reset it n still the same

Oh wow, sorry I mis-interpreted your message

Never had an issue when I linked my device with my account. I did that before Diablo III was released tho.. during the Beta's.

After all this, you sure you want to trade in RMAH? There might be some security flaw lurking around in their servers that may compromise your account and your hard earned cash.

This is Blizzard we are talking about. Should anything happen, they take an extremely long time (weeks, sometimes months) to restore your account/items/cash and most of the time, you won't get back all your stuff

This post has been edited by gaeria84: May 22 2012, 06:31 PM

luckily is just a GAME and not real life...

phew

luckily i dont know what diablo is

Oh crap. I've only started playing public game since yesterday on NA server. Usually I played private game with a friend. Didnt realized hacking account in D3 was so easy.

Hopefully nothing bad happen to my account.

server down for maintenance lah... same as WOW somemore... thats why things cannot authenticate.

i also face the serial number problem now, again actually

both the iphone app and the real authenticator cannot be used. both give me the error of serial number wrong when i want to attach it.



previously, i bought 1 from authenticator token from blizzard, but serial number error. Blizzard can't resolve it hence sent me another. this time can attach liao. then after that i din't play WoW anymore, I took away the authenticator.

then now, i want to reattach it back, it says serial number error

then I try to download the iphone app, again, say serial number problem

open a ticket, asked me to call them, but when i tried to call the number, it says "this number had bar all incoming calls" :S

dafaq!?

wah ur problem sounds serious leh, lol i think i not gonna attach authenticator for now then

anyway i sent a ticket n c how they reply la.

http://us.battle.net/d3/en/forum/topic/5149619846?page=7#124

Apparently. Typical lah, bringing shame to South East Asia.

same here only joined friends game few times.will reduce friends now

Man they should have put something like and 6 pin code to access your inventory and oso your stash inventory . this alone can solve all this hacking case.....

They would have stolen that too with a keylogger


This post has been edited by wodenus: May 22 2012, 07:52 PM

Very typical of Blizzard, now you know why a lot of people quit WoW

The problem now might not be related to keylogger, but rather, more like piggybacking into your account when you're online. They are not stealing any password or anything.

And in Maplestory, the personal pin can only be key in using graphical keyboard where you click on each character to input. Keyloggers therefore cannot capture it as there's no keystroke to be captured.

Its a very good system.

This post has been edited by Hornet: May 22 2012, 10:14 PM

well Bashiok from Blizzard just pretty much confirmed it.


http://us.battle.net/d3/en/forum/topic/514...846?page=32#633

Btw now is ok ...since my account doesn haven any rare items ...just enjoy the game

i replicated the session hijacking theory, and yeap doable without authenticator. but needs some work.
careful guys.

This post has been edited by VinluV: May 23 2012, 03:57 AM

really? show us pictures of guys that you hacked... or it didn't happen

Soon it going to be another WoW ...where alot will start quitting due the server security...Thanks blizzard for shorten the game life of diablo for 10 years to 5 years

This post has been edited by d33pbluez: May 23 2012, 08:56 AM

guys, for those who are having trouble with "Invalid Serial" when trying to add the mobile authenticator; try turning off your B.Net SMS notification first.

Worked for me.

A lot of people quit WoW because that game is 8 years old la

At least, with LYN members only D3 friends, I always know that I'm within driving distance to punch someone in the face if one of them tries with hack.

never the one to play with strangers, hated pugs in WoW, will continue to hate them in D3

No doubt, but there were a lot of factors that contributed to WoW's decline

- Game going in the wrong direction - lots of recycled content, game being trivialized
- Long downtimes
- Bad customer service

didn't hack anyone as its complex for automation, i just tested with a friend for over an hour.
you just need to replace some of your session particulars with another person, and for a short time you'll be in control of the other party, then you get errors.

My suspicions are the same as Bashiok, this was well coordinated, and the guys targeted people from the start. Collected the passwords and details. Then they did the "hack at once.

I still don't understand why the game server would pass your session token to other members in the group and vice versa. I haven't done any testing but a wireshark or tcpdump file would interest me very much.

record a video... expose blizzard blaming technique....
now blizzard kept blaming the players.

^ +1 to this. The way blizzard posts the formal announcement is like, blaming players for not being careful/secured enough; and mentions nothing about the exploits.

i am going to try to replicate the exploit as well.

http://www.youtube.com/watch?v=8iQoOMJ9n8k

For you.

very irresponsible.

it is battle.net server not secured. not the players.

True. But I'm not surprised, that's how most of the business organisations AND the government works... play "Tai-chi" (push the blame to end users/citizen/anyone else than themselves)

Sigh, only hope Blizzard will fix this as soon as possible, doesn't matter if they don't want to admit their mistakes.. just fix it before my final exam is over

This post has been edited by polarzbearz: May 23 2012, 02:07 PM

aye. at least valve admitted.

since WOW has this problem, if i give hack i quit, that it
argue they dont give help hand

here's the setup tho a very very simplified one.

2 pc in the same network. By network I mean me and mate using my router.
No opendns, No dns crypt, No authenticator used, firewall and my IPS turned off.
after trading and dropping items left and right for about half an hour and monitoring packets with tcpdump,
i just copied some token values from my friend to my packets (a certain open source scarab javascript packet interceptor i bet you know was used )

For a few seconds, i got him off his account. Then I got the i got kicked of battle net error.

what i can suspect is that my token and session weren't matching the ones on battlenet so i got kicked off, as the next few packets sent from me was using my original values, instead of the "malformed" packet.

Its doable but based on my setup its quite a below basic one, its still a long way for me.
Will try to pass u a dump with better values if i can get some sort of poc.

edit: wouldn't be surprised if chinese have pwned bnet

This post has been edited by VinluV: May 23 2012, 03:45 PM

Hmm interesting.

If you have any interesting dumps, please send them my way. But I still don't understand Bliz's need to allow user machines to communicate with each other. I thought all the heavy lifting was done on the servers and the result was sent to the user machines.

Unless somebody has a way to parse token data and reconstruct login values, then this may not work. Still it does sound possible.

What you described is the typical man in the middle attack where a hacker sits some where inside the same network as you are and use packet siffer to sniff out the packet s you send and receive to Blizzard server.

This is almost undoable on the open internet.

I have been reading the Diablo 3 official forum and really tempted to try to replicate or some how prove Blizzard is covering up and downplay the whole issue while at the same time keep blaming the users for hacking. This is even worse when combined with fanboys on the forum insulting and accusing people of lying about getting hacked with an authenticator.

probably due to heavy loads on the server.
Wouldn't be surprised that companies would choose the easy and less secure way out of a problem.
I've not played wow but some guys on my d3 public games told me you can use wow hacks on d3. Unproven as i don't play wow or have any knowledge of it.
If u know any hitb/hackerspace fellows, they may have doxed it as well.

edit: just thought of the whisper and message function, not sure if can directly ping user ip/id from whispering. Any thoughts?

with my understanding of the battle.net 1.0 protocol.. nope you cant get any network info by whispering/messaging a player.

not really sure about battle.net 2.0 though.

they never said it was for social anticheat - it's anti-piracy.

The MITM is very highly dependant on where the hacker location is as well.
Has to be close to Bnet server or piggybacking tmnut in order to capture a proper dump.

edit: just informed that there is a new type of boy/man in the browser attack as well.

This post has been edited by VinluV: May 23 2012, 04:52 PM