Stolen handshakes: session ID hijacking rumors in Diablo III may be overblown

If you read the gaming blogs and forums of the world, and hey, who doesn’t, you might have seen rumors swirling about something called session ID hijacking in the latest gaming sensation, Diablo III. It’s gone mainstream:

(Forbes) — At first this looked like it might have been yet another glitch on the Blizzard servers. Now it looks like we’re dealing with something far more nefarious: hackers exploiting security flaws in Diablo 3 and stealing peoples’ virtual items in order to sell them later in the Real-Money Auction House.

What is a real money auction house and why would gaming hackers care about it? It’s exactly what it sounds like: a sort of gamer Ebay, an exchange of in-game items for in-game currency. What makes it a real money auction house is gamers can sell their in-game items — or convert their in-game money — to real money.

That means, if a hacker collected enough items, s/he might be able to sell them on the RMAH and turn virtual items into hard cash as a worthwhile commercial venture. And that has a lot of people really concerned about rumors of nefarious hacking regimens and speculating on session ID hijacking as a method of compromise in Diablo III. This kind of hacking isn’t new, but many countries don’t consider stealing virtual money a crime, it is after all fake money used to buy better swords or flying mounts and stuff like that in game. There are lots of nations where you can’t have any real money besides The Real Money, so fake money is a real weird, weird, newish commodity. Hackers accumulating it by hacking into gamer’s accounts, laundering it, and selling the fake money to players who have real money might conceivably operate in the open as a completely legitimate business. This practice is known in the gaming industry as gold farming.

Gold farming is a huge business in large online communities with an in-game economy. And it can damn near ruin a gaming experience, because it involves ripping off in-game wealth that might take a gamer years to accumulate through regular, honest play. It sucks all the way around; fixing that damage for the hacked player costs online community developers very, very real money and it can injure customer loyalty. It’s so bad in Blizzard’s blockbuster game, World of Warcraft, that I wonder if Blizzard highers up went with a real money auction house in Diablo III in part thinking, ‘to hell with it, if players want to buy fake money, here, now they have an open market and transparent conversion rates for it. Problem solved.’

If you’re lost on the session ID bit, basically, right now you are talking to the Internet, specifically, the FTB server for this blog. You two are having a conversation, a handshake between two machines, aka a session, with data flowing back and forth instead of words, and that session has an ID number. Hackers have been known to get ahold of that ID or fake it, and with other bytes of info, they can sometimes make the session flow through their machines where they can see both sides of the conversation, say between a gaming server and a player’s computer, including passwords and user names. Hypothetically, the session hacker might even be able to knock the player out of the session and slide right in where the player was. Bingo presto, now they are the player. Incidentally, this could in theory skate right past anti-hacking devices used by gamers, like Blizzard’s authenticator.

The legit player will only know s/he got kicked off, and when s/he tries to log back in, the hacker can just set up a bot that pings the real player’s IP like little mini DoS attacks to keep them out until the hacker has done his grisly work. Which doesn’t take long. In mere seconds, an experienced game hacker can strip that player’s items and in-game currency, dump it on a nearby auction house for fake, in-game currency, and use the in-game mail system to send it to other player’s hacked characters, and so on, round and round she goes, like laundering money, except the spin cycle never ends until the fake money can be converted into real money. It must be quite a juggling act.

That they have to keep this huge chunk of stuff and/or money in motion through hacked accounts may turn out to be the Achilles Heel of D3 hacking no matter how it’s happening. Or, in the end, if the hackers are hugely successful, massive amounts of in-game dollars will overwhelm the real money auction house and create a commercially non viable exchange rate. I suppose, if someone wanted to try to start a sort of futures exchange or forward contracting arrangement on the Fake$/Real$ rate for a piece of the action, your hackers and other in-game speculators could even hedge and speculate. This would work especially well for such an innovator if they had a large site where you could feature such a cyber exchange.

::: Light Bulb On :::

Call it the Virtual Merc, Vmerc; I like it (I also might own it, so hands off!).

Anywho … no one has said officially, for sure, if session ID hijacking is the culprit behind the Forbes report on D3 (A Blizzard post went up overnight downplaying that possibility and credible sources tell me they are skeptical of the whole idea). Besides, there are security solutions for session hacking even if it turns out to be valid, and the real money auction doesn’t start for a few days. … Still, it will be interesting to see how this all plays out.


  1. sithrazer says

    Yet another reason why Diablo 3 is stupid. It’s a single player game with multiplayer capability, yet the entire thing is hosted on a remote server.

    I wonder who it was that thought this was a good idea.

  2. mithrandir says

    sithrazer says:

    Yet another reason why Diablo 3 is stupid. It’s a single player game with multiplayer capability, yet the entire thing is hosted on a remote server.

    I wonder who it was that thought this was a good idea.

    The person who thought a real-money auction house was a good idea. You think it’s bad now, with the risk of hacking, imagine what it’d be like if items and in-game gold were completely at the mercy of the home client.

    Which kind of begs the question of why not have a purely single-player experience that’s barred from the RMAH, but that would make too much sense.

  3. unbound says

    I was hoping Blizzard was being a bit smarter about this, but if they are already running into this issue, then I don’t think they were as prepared as they should have been.

    Blizzard has already had to deal with a lot of hacked accounts in WoW (they were the first ones to get hacked via the Java null pointer exploit, and even got their tokens hacked in a limited fashion via a man-in-the-middle attack). They should have been on full alert rolling out Diablo 3 with the real world auction house. It is an even more tempting target than the WoW accounts since there are fewer steps involved in getting to the actual money for the hackers, and potentially they wouldn’t have to deal with middle men to get to the money.

    Hopefully this isn’t sidejacking (if it is, then Blizzard should be sued for negligence) in which case securing your home computer will keep most people safe.

  4. says

    The real money online auction thingie was one of the red flags for me when this game launched. Once you get real money involved you are guaranteed to attract hackers. Blizzard should definitely be consulting with Wizards of the Coast as to how they handle Cyber security within their Magic Online system. With some virtual cards costing $75-100 (I think Force of Will is still a Benjamin to get due to rarity) and tournament decks often costing nearly a thousand dollars to assemble, there are Magic Online players with serious investments in their collection.

    I speak from personal experience. Even as just a casual player I had about a hundred bucks worth of stuff stolen when somebody jacked my password. It really sucks, almost as bad as the guy who broke into my house and stole my Wii and my Pentax a couple years ago.

  5. says

    @Jason… I’m still playing Torchlight 1, but yeah… Torchlight two looks awesome. I wish I still had the time to devote to it that I had when I was playing Diablo 2. Damn children…

  6. sithrazer says

    Which kind of begs the question of why not have a purely single-player experience that’s barred from the RMAH, but that would make too much sense.

    That’s more or less what I was going for, but couldn’t quite word right so I left my post at what I did.

    Single player could even be purchase-only from the RMAH, and any item entering a multi-player server could be flagged as having entered from a client and therefore not generated by the blizzard server, thus be barred from being put up for sale on the RMAH.

    That gets you a mostly functional RMAH, a fully functional single player experience, as functional a multi-player experience as the game servers allow, and people who like to screw around with modding and hacking their game client can’t easily damage the RMAH (or block multi-player for such modded game clients altogether).

  7. says

    I’m curious how a RMAH could affect a company’s balance sheet. If there’s a conversaion rate for in game currency and items, the valuation for the virtual community part of the asset list might move beyond subscriber base and growth rates.

  8. sithrazer says

    I don’t know where you’d look to find such information, but Linden Labs (makers of SecondLife) probably has some, if not all, the answers tot hat question.

    In-game currency of SecondLife has a real-world money exchange rate and exchange services for converting in-game currency to real-world currency (complete with fluctuating exchange rates depending on numbers and amounts of buyers and sellers).

    You can’t use real money to buy things in the game world directly, in that respect it works kind of like MSPoints for the XBox Live store, with the exception that there’s a way to convert your leftover points back into real money.

    Last time I looked there was a control on how much you could exchange per period of time though, and I doubt blizzard would place such limits on their AH as they don’t care about controlling inflation/deflation rates of items/currency.


Leave a Reply