I don’t think there is any significant session ID hacking in Diablo III and I’ll tell you why. A friend and I have been playing with an app called Wireshark (And a few less reputable tools) while we were hooked up to D3 — from several PCs and IPs mind you. It turns out Blizzard may not as stupid as some players speculate.
Wireshark is an application that parses network packets and displays the results for prying eyes to appreciate. It shows what’s called the header in the packets – for those of you in wet, bio-science think of it as on-off codons at the head of an active gene vs. a string of genetic nonsense. The session ID has to be in the packet header, but it doesn’t have to be displayed — in fact having it display would be a gigantic security breach. Ergo, for a session ID hijack to work, gold farmers would have to install an app similar to Wireshark on the target player’s PC which would deliver the packet header containing the session ID to the farmer. He would then use that info to make the session flow through his device or, in extreme theoretical cases, knock the player out and slip right in. In effect, the gold farmer would become the player. This would all have to happen while the player was still logged in and playing using that same session ID, so the hacking program would have to deliver that session data and the farmer would have to act on it in real time.
In our tests, we looked at parsed and unparsed packet data, we tried different tricks and even considered registry edits to make it appear. But try as we might, we could not get that number to appear in our data, period, full stop. If we can’t do it standing there at the keyboard with the box open fucking around with it for hours on end, it’s hard to see how someone operating from China or India could make it happen in real time without triggering every firewall and anti-virus alarm between your PC and Beijing.
I find it highly unlikely there is any session ID hijacking going on in Diablo III. My guess is wide spread reports of gold farming are coming from the same vulnerabilities they always come from, i.e., phishing emails, key loggers embedded in add-on updates, and people dumb enough to register an account to buy in-game currency using their same email and password they use for Battlenet. In particular, Diablo III has attracted players who used to play Blizzard’s top seller, World of Warcraft, and millions of console gamers who are not familiar with gold farming in general. For those who have read reports of accounts being hacked even though they have Blizzard authenticators on them — which is what set these rumors off in the first place — my guess would be they are either 1) mistaken that there was an active authenticator on the account at that time and they may have been thinking of the past, or 2) it was a dial in authenticator which is a whole different animal and much less secure.