Huge security flaw?

professorc · 2012-05-26T20:04:56.099884+00:00

okay, that is assuming that they already have access to your computer via whatever method (keylogging).

A fairly good assumption as we are talking about someone "hacking" into your account via your username and password, which they had to get somehow.

Atmozfears · 2012-05-26T20:02:37.489488+00:00

Yes. How do you pause?

3213211 · 2012-05-26T19:03:42.075540+00:00

I cannot tell if that is even that fast, with all of the unload and reloading you're doing. Your bar barely moves at all.

lordnikkon · 2012-05-26T19:00:31.607416+00:00

This happened to me.

The order form also has a massive bug in it; if you change your country it resets your payment type, and if you change your payment type it resets your country.

So for example let's say you have a Visa card, you select that, type in the info, and then select your country as Canada, the page reloads and now your payment type is "American Express."

If you go ahead and change it from American Express back to Visa it will reset your country from Canada back to the USA.

I e-mailed Bliz' about this giving them a detailed description and reproduction steps but got a generic "please telephone our billing line for help with orders" response and I just gave up.

I used my browser's developer toolbar to order.

professorc · 2012-05-26T18:56:16.860821+00:00

What would the net effective be if they made it harder to change your password:

It would protect your characters: No.
It would protect your gold: No.
It would protect your items: No.
Would it protect your account information: No.
Would it force a user on an infected computer to enter their security question? Yes.
So the net result: Just give the "hackers" more information for which to take ownership of your account. Or worse: information needed to re-break-in after you secure your account.

DemetriMartin · 2012-05-26T18:52:35.147608+00:00

People can afford a $60 game but not a $10 authenticator?

Atmozfears · 2012-05-26T18:51:58.020353+00:00

Diablo 3 cannot be paused at all, ever. It is by design.

Teebu · 1 day

The Act1/Cathedral in the hardest difficulty you have unlocked.

zeldaahn2 · 1 day

Saying "gay" doesn't mean homophobia, it's a fad.

Just as saying the N' word isn't racist - right?

By saying the word with negative connotations you're implying that you see being "gay" as a negative.

I really fail to see how there is any way to say the word "gay" to mean "bad" or "shitty" without it being homophobic to be honest.

herpaderp110 · 1 day

Fair enough. What flags did PSI throw up?

fugor1103 · 1 day

Use Skype to call the number.

zeldaahn2 · 1 day

Damn RNG is so gay

Wow, calling stuff "gay" - it is like 1993 all over again. Glad to see homophobia in gaming is alive and well.

herpaderp110 · 1 day

You went to a web-site where an advert launched malware abusing some exploit within a browser addon like Flash, Adobe Reader, Quicktime, or Java.

Alternatively your web-browser is out of date, you're still using Windows XP, you ran something nasty, or someone else using your computer did.

I suggest running this: http://secunia.com/products/consumer/psi/

It will flag any out-of-date/end-of-life software on your machine.

Gibsonex · 1 day

I tried the whole "constructive criticism" thing with Blizzard in WoW and it literally took them two expansions (read: approx 3.5 years) to fix them.

These weren't picky things either, they were glaring flaws, contradictions, or blatant double standards.

So I guess my point is: don't hold your breath. Even when Blizzard does listen as in the above case it can literally take years and years to see a single suggestion hit production.

Blizzard are very quick to nerf, but incredibly slow to alter how something is designed to work for fear of "undoing" all of their previous efforts/nerfs.

abbrevia · 1 day

How boring - no technical explanation for what causes it.

sandmac · 2 days

That wasn't my point. My point was that D3 uses TCP/IP in a standard way, therefore almost certainly isn't using sessions like a HTTP connection would.

UDP based messaging protocols often use sessions since much like HTTP it is stateless. TCP/IP is stateful most of the time, HTTP is the exception - not the rule.

sandmac · 2 days

Somewhat, but the real hackers have seen Hackers 2: Operation Takedown (also called "Takedown").

LameSalad · 2 days

Yes. Both in the configuration UI and also on the address bar when you visit a page with "blocked" content. It works in practice almost exactly like the popup blocker except you can click to enable individual elements on the page.

sandmac · 2 days

I said IF D3 used sessions

.

I was never at all saying or implying this was possible in D3

.

likely is handled through a frontend session proxy that hands requests off to whatever backend servers

Well you wrapped up this discussion nicely. Nothing in your post has anything to do with the topic at hand, therefore your post has no purpose.

LameSalad · 2 days

I've never seen a browser with click to play before. Most browsers have "ask me" which isn't really similar at all.

Might I suggest you try Chrome's implementation. I think you will be pleasantly surprised by how user friendly it is.

sandmac · 2 days

Session hijacking is totally possible if the server side doesn't have the proper locks on the session.

Wrong. It is impossible. Diablo 3 does NOT use sessions; it uses the TCP/IP stack to "secure" the communication between peer to peer.

Pretty often in web stuff

HTTP has nothing to do with this. HTTP is a stateless protocol that uses sessions to simulate state. TCP/IP connections that persist are stateful.

I mean this as respectfully as I can, but you aren't qualified to have an opinion on this topic.

LameSalad · 2 days

If you're using Chrome "no-script" is almost built into the browser its self:

Tools -> Settings -> (Show Advanced Settings)
Content Settings
Plug-Ins -> Click to Play

Now I know this doesn't provide every feature the Firefox No-Script addon has, but a large number of people use No Script to exclusively block Plug-Ins from launching without permission.

Setting this is very effective since it blocks Flash, Java, and even the built in PDF reader. It is also extremely user friendly allowing you to one click active them, or to allow them site wide forever.

lediablo3throwaway · 2 days

That's actually a legitimate exploit. I think Bliz' will fix this but likely not quickly as they care far more about item "inflation" and less about character levelling (since getting characters to 60 is a foregone conclusion anyway, just a matter of time).

Since every time someone finds an item dup or chest bug it hurts their real-money AH. Buffing characters to level 60 does no such thing - in fact if anything having more level 60s without any gear only helps take items out of the market and therefore increase their price.

I think Blizzard will stop this the second companies start selling level 60 accounts created using this method for real money.

DGMavn · 2 days

As the other post says turn off elective mode.

But also - why are you clicking your skills bar to begin with? It is just the keys 1-4+Q, and the mouse buttons.

sandmac · 2 days

It has been quite amazing watching technically illiterate people commenting on security and inventing fictional "rumours" which even more technically illiterate people believe. Some examples:

Session hacking (on a TCP/IP connection?)
SQL Injection (no context given)
Database breach (no evidence/proof)

People seem to use names of real security issues as some kind of shield to hide their ignorance. When I enter a discussion and reply to someone repeating "SQL Injection!!" over and over, all they do is infer that just because they have no proof, that their theory is just as good as my "theory" that they're pulling it out of their butt.

It is like everyone put their common sense on hold for 72 hrs and would have these wild circle-jerk discussions where just talking about the "issue" over and over again made everyone more and more sure there was an "issue" to begin with.

Just for one example, that bug report thread where Blizzard said (paraphrasing) "we are looking into all reports" and everyone read that as "there is an issue and we will fix it."

UnoriginalGuy

TROPHY CASE

UnoriginalGuy

TROPHY CASE

you'll need to login or register to do that

create a new account

login