Diablo 3 Security Brought Into QuestionPlatform: PC Games
It's 5AM here in the UK, and I'm shivering. Not because it's cold, or wet, but because a AAA developer didn't take a basic security measure that may have caused damage to thousands of account holders of Diablo 3... Specifically Diablo 3.
Around ten minutes ago at the time of writing, two Blizzard Forum users with IT experience, Fremd and Maged, discovered that, despite "common knowledge" that password security was being handled properly on Blizzard's end, they could enter their passwords wrongly into the client any number of times, even attempting this with spoofed (faked) IPs, and not get locked out.
Let me explain this in layman's terms. Blizzard didn't put in a basic security measure that stops people from simply typing in random numbers and letters until they get your password. Something simple, bruteforce hacking can accomplish. Something they did with World of Warcraft. And, most importantly, something they *didn't* do with a game that's going to have a Real Money Auction House.
Add to this that it was also discovered, earlier in the day, that passwords are not case sensitive, and the security barn door has been shown to be firmly locked open. Normally, case insensitive passwords wouldn't be a problem with anti-bruteforce measures like limited password attempts, but in this case? It makes the problem worse.
While this is an easily fixed problem, it's still something that's going to lose the respect of many players of Blizzard products, and taint their reputation for at least a while to come. In the meantime, Blizzard were informed immediately upon discovery.
UPDATE: I have been assured that, so long as you have an Authenticator for your account, this is not a problem. For everyone else, however... Basically, if Blizzard don't start offering free physical authenticators mailed out in the next day or two, get one. There's also SMS authentication, and Smartphone authentication. Dial In isn't compatible with Diablo 3, and it says as much in the FAQ.
EDIT: I apologise to Glide for not giving him co-credit with Fremd and Maged for discovering this security hole!
EDIT 2: Although I am not at liberty to state any details, it is also entirely possible that usernames have been listed, leading to an even bigger security hole from the combined weaknesses.