0
Your rating: None
Diablo 3 Security Brought Into Question
 

Diablo 3 Security Brought Into Question

Platform: PC Games
Category: RPG
 
Share/Bookmark
Author: JamieTD

It's 5AM here in the UK, and I'm shivering. Not because it's cold, or wet, but because a AAA developer didn't take a basic security measure that may have caused damage to thousands of account holders of Diablo 3... Specifically Diablo 3.

Around ten minutes ago at the time of writing, two Blizzard Forum users with IT experience, Fremd and Maged, discovered that, despite "common knowledge" that password security was being handled properly on Blizzard's end, they could enter their passwords wrongly into the client any number of times, even attempting this with spoofed (faked) IPs, and not get locked out.

Let me explain this in layman's terms. Blizzard didn't put in a basic security measure that stops people from simply typing in random numbers and letters until they get your password. Something simple, bruteforce hacking can accomplish. Something they did with World of Warcraft. And, most importantly, something they *didn't* do with a game that's going to have a Real Money Auction House.

Add to this that it was also discovered, earlier in the day, that passwords are not case sensitive, and the security barn door has been shown to be firmly locked open. Normally, case insensitive passwords wouldn't be a problem with anti-bruteforce measures like limited password attempts, but in this case? It makes the problem worse.

While this is an easily fixed problem, it's still something that's going to lose the respect of many players of Blizzard products, and taint their reputation for at least a while to come. In the meantime, Blizzard were informed immediately upon discovery.

UPDATE: I have been assured that, so long as you have an Authenticator for your account, this is not a problem. For everyone else, however... Basically, if Blizzard don't start offering free physical authenticators mailed out in the next day or two, get one. There's also SMS authentication, and Smartphone authentication. Dial In isn't compatible with Diablo 3, and it says as much in the FAQ.

EDIT: I apologise to Glide for not giving him co-credit with Fremd and Maged for discovering this security hole!

EDIT 2: Although I am not at liberty to state any details, it is also entirely possible that usernames have been listed, leading to an even bigger security hole from the combined weaknesses.

 
 

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Images can be added to this post.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human or a robot. Pesky robots...