it really depends on how Blizzard's software engineers decided to handle sessions, anything is possible and any oversight is possible including the one you just described

I'm not a software engineer but I deal with session keys in web development and the principles are probably the same

a session key is basically an identifier that gets placed on the client's computer, in web development usually in the form of a cookie, that stores session information (items in a cart for example) as well as permissions levels

there was a lot of sloppy coding and oversight in starcraft 2 that still exists 2 years later. exploits and map hacks run wild, but that has more to do with the fact that all game information is stored on the clientside (including info about your opponent).

still, im amazed at some of the bugs, exploits and overlooked features which have overrun battle.net 0.2 (as many like to call it) w/ regards to sc2.

the Diablo franchise has always been a hacker's wet dream honestly

every player can create their own instance of the game world and have total autonomy, bot to your heart's content

wrt session keys and session hijacking, I can tell you the design of Diablo definitely poses some very unique challenges in that area

players are constantly leaving games and joining games and creating games and leaving games and joining games, I can't imagine any other game that has to create and validate more session IDs on the fly than Diablo 3, if a game was going to have a session hijacking exploit I can't think of one more obvious and fitting than D3

here's a report of a phishing campaign with good grammar and a spoofed email that's been making the rounds, any chance you fell for this one?

http://us.battle.net/d3/en/forum/topic/5271602204

no i would never fall for anything like that.

here's a more clear video of what I was describing earlier:

http://www.youtube.com/watch?v=sxVM06owyuk

if you watch the movement of characters that are logging into this game and dumping all their gold to Gige, you'll notice some very unusual things about the character movement

the characters are occasionally running sideways, and rotating sharply, to me this means the player movement is not being entered into a game client organically like with a mouse and keyboard

this movement is being entered by a script, in other words this entire process is being automated

so one hacker's computer could be stripping hundreds or thousands of accounts daily hands-free

which isn't surprising because it'd have to be happening hands-free to really be worthwhile, considering the per-account average is probably less than 100k with all the sub-60s that are getting stripped

I've also heard reports of people logging into their accounts and finding their items stripped but with 8-figure sums of gold to their name, which to me means they're using hacked accounts to move the gold around even in large numbers before finding some way to launder it

probably find some account that seems dormant, let their scripts strip and dump gold onto it for 48 hours or whatever, and then come in and launder the gold in one big chunk

it wouldn't be hard with the AH, just use the gold to buy some items, transfer the items, relist the items, buy the items, transfer the items, just create a bunch of paper trail confusion, Blizzard can't keep track of all that and it wouldn't be worth their time to try anyway

Is it even possible to make your character run sideways in D3?

I have become determined to be hacked. I'm wondering the best way to go about it. I have an authenticator, and I plan on setting it to "require auth for every login" before I do this, just so blizz cant say "Well, if you would have required it for every login..."

So, what should I do? I wish we knew how long the people getting hacked were on every day. I figure I could just leave myself logged into a game or something?

Maybe the hackers can see what act/difficulty people are playing and target them somehow to hope for better loots?

people are getting hacked without ever playing multiplayer, so honestly Karak's suggestion that maybe they're just brute forcing session identifiers and stripping whatever characters they grab seems the most plausible to me

but gosh I don't know, it's happening after people have already logged off too. that could only be a session hijack (or whatever method Diablo 3 uses to identify players and set their permissions levels, they might not technically be sessions) if there's a bug that causes the client to not properly terminate sessions

it's a really weird situation, I can't wait to get an answer, it's really fascinating

the way it's happening though I don't think there's any way for you to increase your odds of getting hacked, it seems to be happening randomly

here's a report though of somebody getting hacked even though they use a mobile authenticator:

http://www.reddit.com/r/Diablo/comme...ability_to_do/

Blizzard is censoring anybody who talks about getting hacked even though they use an authenticator, but this report at least appears legitimate

his friend provides screenshots of his authenticator with time stamps, says he's in IT and had multiple WoW accounts (probably everyone using an authenticator is doing so because of WoW experience, so that adds credibility).

I guess they could have doctored everything and made it up, but it doesn't really look like it to me

+1 to hacked/compromised/whatever you want to call it, all items/gold/auctions gone

- no authenticator
- never played public games (and have only grouped with friends and friends of friends)
- had not partied up with anyone in the 48hrs prior to being hacked
- password 9 characters long, numbers and letters
- password not shared with any other accounts etc

The problem with session hijacking is that it's nearly impossible to do as long as the developer isn't a moron. Most session hijacking attacks on a website are a combination of being phished and the developer being a moron.

- Cross site scripting involves being phished (you give them your session ID).
- Someone reading your cookie file to get the session ID requires your computer to be compromised in some way.
- Session fixation attacks also involves being phished (you basically give them your session ID).

I can only assume that in addition to using a session ID on login it's going to refresh on various user actions (joining a new game, etc.). There's also likely going to be a unique identifier used in every packet that gets sent to/from the server which will be used together with your session ID to make sure you is really you. This will probably be your IP address.

So for someone to hijack your session they are likely going to need to guess not only a 32, 64, or 128 character hash (not sure on the size of the session ID for the game client) but they will also have to likely guess your IP address too.

Even if a packet sniffer were used while in the game to maybe expose your IP address it would require you to be in a game with an unknown user prior to being compromised. A lot people (myself included) never joined a public game once.

The only way someone is getting your IP when you never joined a public game would be by exploiting a bug in the AH. That's the only area of the game other than public games where your account constantly talks to other accounts. Another possibility would be finding and abusing a bug in the web site that allows someone to link an e-mail address to an IP address.

I have no basis for this other than intuition but I feel like the hack might be exploiting the resume game feature. The only session logging that persists when people are not in game is the saved status of the quest they are on right?

OTOH, my evidence for password hacking is that I have like 20+ people on my friend's list (mostly WoW players so likely using authenticators) and I haven't heard any of them mention being hacked. While Blizz might be trying to cover up posts about players with authenticators being hacked, I'd still find it more likely the players are lying when they claim to have authenticators attached.

I mean if we took a poll from this forum, I'd be pretty shocked if anyone who didn't play WoW had an authenticator before news of players getting hacked and there are significantly more non-WoW players than WoW players who are playing D3. So it's very possible that all the players that have been targeted do not have authenticators.

In every single thread where someone said they used an authenticator and still got compromised a Blizzard guy posted that they were straight up lying and the original poster never posted again, or they used the dial in authenticator which is basically the same as using no authenticator.

The saved status of the quest is no different than a health potion being at the 1x1 point of your bag or your sword in your left hand, or anything else that involves persisting data on your character after you logout.

This is what's known as character state. It's the state of your character. It's completely separate from sessions.

that's definitely an interesting thought, it's all speculation though because we haven't seen the code (at least I haven't, and would barely be able to read it anyway). all these obvious flaws we're assuming it doesn't have, it could have

it could also have flaws that none of us can even wrap our head around, because of the flexible and high-intensity way D3 needs to deal with session identifiers, creating them for multiple player-generated instances hosted on the same server, sessions being unique to all these individually generated game instances all over the place, but at the same time granting permissions to communicate with multiple static services outside the game instances

it just seems like there are a thousand different ways to screw that up and leave a gaping security hole

I'd also like to know why people's WoW accounts aren't being compromised simultaneously with their D3 accounts, if the hackers really are obtaining login credentials like Blizzard says they are. WoW and D3 accounts are both tied to the same battle.net login in most cases, right?

Creating unique identifiers is not a problem. There are many algorithms out there that will give you enough uniqueness that the odds of duplication are basically 0%.

A popular one is UUID and it creates:
340,282,366,920,938,463,463,374,607,431,768,211,45 6 possible hex combinations.

Here's a fun quote from the wiki:
Even guessing one alone would be close to impossible.

There's really no magic when it comes to putting something as large as D3 together. Also there's only going to be 1 point of entry where your session gets validated on the game server.

after all this I find it sad that I dont dare entering the public game mode.
Id love to play multiplayer but I got hacked once playing only solo and it seems public games increase the danger.
all voodoo talk obv...

They answered my ticket this morning saying they will restore my account as long as I install an authenticator, change my password and reply saying "I agree to have my account rolled back."

My original ticket claim noted in no uncertain terms that a) I had changed my password, b) I had installed an authenticator, and c) wanted my account rolled back.

Sigh. But at least they are doing it eventually.

Scary stuff Sorry to hear about losing all your stuff Karak, hope it all comes back safely in the roll-back.

I guess I need to install an authenticator when I get home, I did pop in and out of some public games to snag some wp's the other day, I really hope public games isn't where all this is coming from. So much speculation out there, maybe today's update will shut it all down.

I wonder how many people who've been "hacked" are just dumping their stuff to a buddy. Seems like a pretty sweet way to double your items and gold.

im sure they have some sort of verification process before they simply deem an account hacked

they said as much in the reply to my ticket that they had conducted an investigation and determined affirmatively i had been hacked

if an account has been hacked, it should be plainly obvious looking at the behavior of the account, where the items/gold went and the IP addresses which accessed it.

Anyone that has read this thread and hasn't yet been hacked who still doesn't have an authenticator is not very bright.

$6.50 if you don't have a mobile device. I had a dongle for my WoW account, and now use the android app for D3.

Do it. DO IT NOW.

I have no clue whether it's widespread or whether Blizzard could easily catch people doing this, but I'm sure a few people have at least tried it.

I ended up ordering an authenticator (Starcraft version obv.) so I think I have to wait about 8-10 days? $6.50, free shipping.

My biggest fear right now is being wiped out, not only because of all of my stuff being gone, but because it would feel like an invasion of privacy in a way.

I actually changed my password twice yesterday just because after realizing/remembering that passwords were case-insensitive, it didn't make too much sense to have a password of random letters.

I think I read somewhere that passwords are actually more difficult to crack if they are a string of random words?

I don't know. I'm getting paranoid about all of this stuff now.

Random word passwords aren't more difficult to crack because they are random words. A dictionary (brute force) attack just cycles through a ton of words and combinations of letters, numbers and symbols.

The longer your password is, the harder it is to crack.

A password like "treejunkelephanthappy" is a lot better than "$dO9%hN". The second password looks way more complicated but it's only 7 characters long; the first password is 21 characters.

The difference in time to crack both passwords is in the billions of years.

Without sounding like I haven't read anything in this thread, which I've read everything that was posted in the last day, wouldn't it be a lot more difficult to be hacked if you changed your password recently?

Let's say, for example, that you've been playing Starcraft 2 since it's launch and have had the same password. One day you some how get phished or exploited in someway and the hackers are sitting on your password waiting for D3.

If you've changed your password recently, or even multiple times, doesn't that basically improve your chances of not being hacked? -- This is assuming a password intrusion.

I'd be willing to change my password every day until I get my authenticator if that is the case.