Some very dim light in the gloom »« Wisconsin results: total recall

More on rumored session ID hijacking in Diablo III

 

I don’t think there is any significant session ID hacking in Diablo III and I’ll tell you why. A friend and I have been playing with an app called Wireshark (And a few less reputable tools) while we were hooked up to D3 — from several PCs and IPs mind you. It turns out Blizzard may not as stupid as some players speculate.

Wireshark is an application that parses network packets and displays the results for prying eyes to appreciate. It shows what’s called the header in the packets – for those of you in wet, bio-science think of it as on-off codons at the head of an active gene vs. a string of genetic nonsense. The session ID has to be in the packet header, but it doesn’t have to be displayed — in fact having it display would be a gigantic security breach. Ergo, for a session ID hijack to work, gold farmers would have to install an app similar to Wireshark on the target player’s PC which would deliver the packet header containing the session ID to the farmer. He would then use that info to make the session flow through his device or, in extreme theoretical cases, knock the player out and slip right in. In effect, the gold farmer would become the player. This would all have to happen while the player was still logged in and playing using that same session ID, so the hacking program would have to deliver that session data and the farmer would have to act on it in real time.

In our tests, we looked at parsed and unparsed packet data, we tried different tricks and even considered registry edits to make it appear. But try as we might, we could not get that number to appear in our data, period, full stop. If we can’t do it standing there at the keyboard with the box open fucking around with it for hours on end, it’s hard to see how someone operating from China or India could make it happen in real time without triggering every firewall and anti-virus alarm between your PC and Beijing.

I find it highly unlikely there is any session ID hijacking going on in Diablo III. My guess is wide spread reports of gold farming are coming from the same vulnerabilities they always come from, i.e., phishing emails, key loggers embedded in add-on updates, and people dumb enough to register an account to buy in-game currency using their same email and password they use for Battlenet. In particular, Diablo III has attracted players who used to play Blizzard’s top seller, World of Warcraft, and millions of console gamers who are not familiar with gold farming in general. For those who have read reports of accounts being hacked even though they have Blizzard authenticators on them — which is what set these rumors off in the first place — my guess would be they are either 1) mistaken that there was an active authenticator on the account at that time and they may have been thinking of the past, or 2) it was a dial in authenticator which is a whole different animal and much less secure.

Comments

  1. Gregory in Seattle says

    I really feel sorry for people who fall for phishing scams. I have gotten a lot of emails alleging to be from Blizzard — and, for that matter, from companies whose games I have never played. All I do is hover over the embedded link and look at the URL. Usually, the domain part looks something like “us.blizzard.net.phishing.scammers.ch”. No way am I going to click that. Presumably, the page that comes up looks vaguely like Blizzard’s login screen.

    The word I’ve gotten from Blizzard is: any email sent to you from the company is also available through your account page at Battle.Net. If you get anything — ANYTHING — that looks like it is genuine, go there and check. Even if it is legit, use the links on your Battle.Net message, not the one that came in on the email.

    It saddens me when people lose the gear and gold they’ve worked hard to get, but I don’t have much sympathy for them when they cannot be bothered to take even the most elementary steps to keep their accounts secure.

  2. leftwingfox says

    I’ve always prided myself on being smarter than the average phish and phisherman, but about 3 years back, one got me.

    It was a message from a friend I worked with, who was heavily into photography, to see his photographs on an MSN site. It was early in the morning, my brain wasn’t at full capacity, and I bit, entering my MSN password. About 15 seconds later I realized I’d been had. I had my account back under control within the hour, but in the meanwhile the automated system did manage to relog with my name and start spamming people in my Messenger friends list.

    I’m much less judgemental now about what people fall for, and am much more careful. MOST of the phishing attacks I get pretend to be from Blizzard.

  3. Nentuaby says

    “The session ID has to be in the packet header, but it doesn’t have to be displayed — in fact having it display would be a gigantic security breach.”

    I don’t understand what you mean by “display” here? It’s either in the packet header, or it’s not… Do you mean it’s in the header in some encrypted or hashed form?

  4. Nentuaby says

    Ahmmm… That really doesn’t mean much, then, does it? All Wireshark does is take a look at the raw packets and, for known protocols, pull out specific addresses (say, the 128th through 255th bits), and display those prettily. If you happen to know where another interesting bit of information lives in a previously unknown protocol, it’s just as easy to pull that out instead by writing a Wireshark extension that tells it where the fields of interest live.

    All it would take to track down the address of a previously unknown session ID field is comparing a whole lot of packets from a single session to see which bits never change, probably trying a couple hands-full of different candidate addresses that turns up. (You can do this with your own copy of the game, no cracking of anyone else needed at this stage.)

    It’s either there in the packet, there in an encrypted payload, or just not there.

  5. Nentuaby says

    Pardon my bluntness, but the tone of comment 8 reads as pretty condescending and that has got my blood up.

    Your post is on a very interesting topic, but it contains a number of technical inaccuracies and confusingly misapplied technical terms. At the very least it doesn’t convey its meaning to a fellow professional. After I tried a couple of probes to see whether the problems were just from conversion to layman’s terms, you went to Argument From Hidden Authority.

    I certainly cannot actually say you don’t have good reasons (or that you owe them to me)– but I have no evidence of them. This was a disappointing conversation.

  6. grung0r says

    getting deep into the weeds on this could compromise what I do for a living as well as reveal potential security gaps in PCs.

    You seem to be suggesting that you believe you know of zero day exploit(s) that no one else knows about, and that if this information were revealed then evil hackers(who somehow don’t know about these “gaps”) would go around exploiting them until Microsoft or Intel or someone(who presumably also don’t know about these “gaps”, or are covering them up since the problem is so intrisinc to the platform) fixed them.

    Have you always suffered from delusions of grandeur, or is this a new thing for you?

    Incidentally, if you do in fact know of publicly unknown “security gaps in PC’s”, then if you have an ethical bone in your body you will reveal them publicly post haste, because that’s the only way they will get fixed. If you lack the ethics bone, then I’m pretty sure there are some Russian hackers out there with bags of money they would be willing to part with in exchange for such information. Hurry, before someone else beats you to it!

  7. says

    I’m not the only one that knows about it by a long shot. The “Russian hackers” are well in hand. And guys I’m not trying to be evasive or come off like a smart ass here. Hopefully, if I do future posts about the industry, they will help me earn your trust.

  8. Anri says

    Typical net-advert irony:

    Sidebar ad on this page for a Diablo III ‘fully stocked’ service.

    . . .

    Does anyone else get this is the equivalent of mailing your home address, your car keys and vehicle title so Some Guy On The Internet, hoping you’ll get an episode of Pimp My Ride? Sheesh. I’m stupid, but I’m not that stupid.

    Now, I am working with this nice guy from Nigeria about a bank account he needs help with…
    (Yes, that’s a joke.)

  9. grung0r says

    I’m not the only one that knows about it by a long shot…

    Then how could you revealing it have any negative consequences? If you are not the only one who knows about it by a long shot, why would you keep the information from your readers? I can think of two possibilities. 1:you are an authoritarian, paternalistic douchebag. or 2:you are a delusional, authoritarian, paternalistic douchebag. Given that your ego allowed you to conclude that no one in the world could steal diablo session id’s because you and your friend were unable to do it in four hours using script kiddie tools, I’m leaning towards option 2.

    For the record, despite your delusions, I agree with your conclusion that no one is hacking session id’s. Why got to all the effort of a technical solution when all the low hanging fruit is ripe for the picking? I don’t see why one would need to load up wireshark to come to this conclusion, but to each their own I guess.

Leave a Reply