Phatose on 4/6/2012 at 14:58
Because cross site scripting cookie theft exploits don't exist? And certainly there are no technical exploits possible, so we should always start out by assuming the end user is an idiot?
At any rate, I don't know how I got looted - and neither do you. Maybe I screwed something up. Maybe all the people reporting hacks on this game everywhere screwed up. Certainly possible. Also very possible Blizzard fucked up.
The Alchemist on 4/6/2012 at 21:15
Quote Posted by Phatose
Because cross site scripting cookie theft exploits don't exist? And certainly there are no technical exploits possible ...
Listen, I'm not trying to belittle you, I'm just saying that what you've described here is still a user problem. I'm sorry you got hacked, seriously, I'm even willing to give you gold in game or save gear that might be of use to you if you wish, but it's just that every time theres a big MMO people always think that the MMO makers are getting hacked, and its rubbish. If Blizzards databases were literally hacked, they'd have everybody's password. Everybody. If you use an Authenticator like my friend does (I dont, because I know how to fucking use a computer and not go to suspicious sites that run malignant scripts that might try and access some cookies, plus my browser is pretty good at identifying these and telling me I'm an idiot for clicking on the link.) you can't even get online without confirming it from your cellphone. I dont know why I'm the dude defending Blizzard, I dont have any particular hard on for them. I dont like Starcraft, I never played WoW. I have however always been a fan of the Diablo franchise. It just seems as though lately I'm the only person that has anything good to say about -anything- on these forums. Every single thread is pilled up with people wailing on this or that. Its just become a general culture of discontent and I cant help but feel like we're a bunch of grumpy old men complaining about how shit was better back in our day. When this community started, we all talked about games we liked. We werent here just to shit on every new game. That was a long fucking time ago, and I've been here since the beginning. A tragicly small percent of those people still come around here. Now what we have left is a very critical, vocal group of people who apparently dont enjoy a damn thing, but do however love to talk about how shitty X and Y are. You might ask why I give a shit considering, but the thing is, the reason WHY I come to TTLG still is to talk to other likeminded individuals about things I'm enjoying. I'm too old to sit on a forum and rant about how this or that DRM is putting my panties in a twist. If I dont like it I just dont apply myself to it. People act as if gaming is some sort of right, I guess its a sign of the days, where some downtime makes people want a refund. Seriously? Okay. Take your refund cause you cant get on today. The look on your face three months from now when I'm still playing this and you're still online complaining about it. I just dont get it. I dont like to see this place turn into that sort of community. We're becoming some sort of NMA. I shit you not. It seems whenever theres a thread about anything, there is way more time spend talking about how shit it is than anything else.
I think the best advise for me is to do with this forum as I do with the games I dont like. Ignore them. It doesnt really -affect- me. Why do I bother to take the time on the subject? Why do I care if you dont like something, am I trying to convince you otherwise? How do I profit from changing your mind? I guess it would be nice if I could share something I enjoy with you guys, but fuck it. Keep on hating. I could be playing right now... infact...
Al_B on 4/6/2012 at 21:59
Quote Posted by The Alchemist
it's just that every time theres a big MMO people always think that the MMO makers are getting hacked, and its rubbish. If Blizzards databases were literally hacked, they'd have everybody's password. Everybody.
Quite possibly true - but I'm sure you'll also accept that if there's a XSS hole then it could be a mechanism that's affected a lot of people innocently. I'm glad you've not been affected by it, but a quick glance over the D3 forums suggests that it might be something that Blizzard could have done more to help stop with the default installation. (Authenticators are good - but if they're really the only way to prevent attacks they should be mandatory, not an optional extra).
Quote Posted by The Alchemist
It just seems as though lately I'm the only person that has anything good to say about -anything- on these forums. Every single thread is pilled up with people wailing on this or that. Its just become a general culture of discontent and I cant help but feel like we're a bunch of grumpy old men complaining about how shit was better back in our day.
Perhaps I've just got my rose-tinted glasses on, but I don't see every thread filled with hate and bile. There's definitely a fair amount of posts criticising things that people don't like, but if you go through the last dozen threads you'll see as much support for recent games as you do attacking them. Just enjoy the discussions and it's always good to hear about games that people care about.
Phatose on 4/6/2012 at 22:31
No, I don't think Blizzard has had an account breach of the 'steal the master list' kind. If there's blame on Blizzard's part - and I'll be nothing short of astounded if there isn't - it's an exploitable weakness somewhere in the back end.
And you'll have to excuse me if I'm very displeased with them right now - Blizzard support, in no uncertain terms, sucks donkey ass. File a ticket, they say "We'll send you an email with an approximate timeline" - and that email never showed up. 24 hours later, still nothing. Call their support number - and it says "We're having technical difficulties, please call back later" and hangs up.
Yeah, being hacked has sucked, but seeing how bad support actually is has been far worse.
Kuuso on 4/6/2012 at 23:34
There was definitely some pretty serious "hacking" going on, since my friend lost his account as well. These hackers apparently got your login information as you logged off somehow, 40 000 accounts got compromised in one night. Blizz fixed it, but it reversed them 3 days earlier. My friend is now playing a lvl 16 character instead of 50.
The Alchemist on 4/6/2012 at 23:48
There has been word of a "Session ID" hijack when you join a public game. Basically people running ngrep or wireshark and logging all the packets during a multiplayer game, receiving a plaintext (supposedly) id that can be used to authenticate as a different character. Blizzard has publicly said that this wasnt true so I don't know, I havent cared enough to look at the packets to see for myself, I dont join public games with strangers, I only play with my friends list, so I dont know. I wont completely rule that out as a possibility, and if true, then yes, bigtime fail.
Anywho, until Blizzard patches this (if they haven't already) dont join a game sent to you by a stranger. That seems to be the hook right there. It's possible it can happen on public servers as well, but they are distributed, and falling on the one instance that has some guy grepping for session IDs in packets isnt that likely. Still pretty fail though. I'm going to attempt to get the session ID myself to see if its still vulnerable to this... will report back shortly.
Edit: Removed my findings, no one should benefit from this info.
Epos Nix on 7/6/2012 at 12:39
It's pretty obvious that Blizzard has some serious security concerns lately. Why, then, are their passwords NOT case-sensitive?? Isn't that the number one rule when creating a password, right along with using numbers? And as if that weren't bad enough, Diablo 3 doesn't currently have a lockout feature for incorrect login attempts.
And Blizzard doesn't see this as an issue. When I mentioned this on their forums, the response I got back just stated that things are working as intended. Apparently passwords have never been case sensitive, even on WoW.
Phatose on 7/6/2012 at 13:45
Yeah, it's pretty sad.
3 days later I've finally gotten my account back. Didn't actually lose anything, and attached an authenticator. Kind of ridiculous if you ask me, but didn't enjoy being hacked, so what choice do I have?
Got blacksmith design for Ashera's set. If the damn Increase Attack Speed on boots actually worked, it would be worth a fortune. But IAS is gonna get nerfed in the next patch....so meh. Still stockpiling them, just in case.
Pyrian on 7/6/2012 at 15:16
Quote Posted by Epos Nix
Why, then, are their passwords NOT case-sensitive?? Isn't that the number one rule when creating a password, right along with using numbers?
We were discussing password standards at work with a developer consultant making a customer portal for us. When we mentioned that our company standard included a capital (sort of), he pointed out that requiring a capital just makes people capitalize the first letter, leading to virtually no increase in the difficulty of hacking the password.
DDL on 7/6/2012 at 15:21
Ditto for numbers, really: if joe normal has a password of "mypassword", then telling him to include numbers and capitals simply makes it "Mypassword1".
And good ol' "your password has expired, you must change it!" leads to ...Mypassword2
Really they should just be advocating stupidly long passwords, which would at least reduce bruteforce approaches.
..though admittedly this would probably just produce Myreallyreallyreallylongpassword1
:erg:
