Toaday
11-26-2003, 01:08 AM
i posted what happened to me on diablo today on general games, yes i play that old game to pass my time till WoW(though im really disappointed with blizzard itself atm). Nutshell=Blizzards PW recovery system was exploited to steal/delete almost all characters on their new ladder for LoD. Now what upsets me is this guys post, where he has clear evidence that this had happened before and gave fair warning to tech support. How does this affect me and Blizzard? And possibly us as a guild in WoW? Shitty shitty patch, shitty shitty tech support, lack of communication(they have not posted anything as to whats to be done),lack of initiative to keep their games safe. I am really really really POed with blizzard right now. I hope they get theyre act together by WoW, because there will be much more to lose for players if they screw up.
November 17th, at 6 o’clock in the AM, I emailed Blizzard with news of the exploit in their password recovery system. With absolutely no knowledge of how or why the hack worked I was able to deduce and determine with absolute precision where the flaw in their system lay.
They had fully one week to do something about it, to prevent the carnage that occurred last night from happening. I submit the following series of correspondences to show how much Blizzard really cares.
----
----
From: Callac@USEast
To: Online Support
Sent: 11/17/2003 6:02:45 AM
Subject: Diablo 2 Account Exploit
To whom it may concern,
I fear that there is now a new exploit, possibly involving the new automated password recovery system in 1.10. The reason for this is because when I tried logging on my account this morning, the password had been changed.
I used the automated recovery system to regain access to my account, and when I logged on my character, my Arkaine's Valor, Stormshield, upgraded Arreat's Face, and Annihilus charm were all gone.
The pattern of item removal is indicative of hackers moving through accounts quickly, looking for only quickly and easily identifiable uniques.
Let me state now that I do not expect my items back and am not emailing to request that you change the state of my character. I am merely concerned that this may happen again and again if the exploit is not discovered and fixed. If you cannot protect the integrity of battle.net for even your most dedicated players then I fear you may lose your fan base and credibility entirely.
My character was undoubtedly targeted because he is very high on the USEast ladder. He is level 95 and 7th on the overall ladder. He is the highest character on the ladder that is not a member of the infamous VET clan, and as a result is very visible and popular. Whenever I am on I get countless personal messages asking for advice, giving encouragement, and other comments.
Another motivation for believing the reason I got hacked lies in a flaw in your system and not one in mine is because my computer is completely secure. My system is always fully updated, has the most current antivirus client, is running a firewall, and could not possibly be running malicious software. I run a web based virus scan every night in addition to running the virus scan client on my computer. My computer has never once been compromised. Furthermore, my password is utterly unguessable, and I am the only person in the world that knows it.
Thank you for your time, and I would appreciate any further information you can give me concerning this problem.
Sincerely,
[Name Withheld]
*Callac
Callac
USEast
----
From: [email]michaelp.support@blizzard.com
To: Callac@USEast
Sent: Wednesday, November 19, 2003 8:18 PM
Subject: Re: Diablo 2 Account Exploit
Hello [Name Withheld]
The changing your password part really hasn't changed. Those people who find a way to get passwords are doing the same thing as before 1.10.
The only difference is in how easy it is for you to recover it (because of the email registration). I will forward your report to the appropriate people. While I cannot guarantee a response, I can assure you it will be read and addressed.
If you have any further questions or problems, please feel free to contact us at [email]support@blizzard.com.
Regards,
Michael P.
Online Support
Blizzard Entertainment
----
From: Callac@USEast
To: [email]michaelp.support@blizzard.com
Sent: 11/21/2003 9:30:23 PM
Subject: Re: Diablo 2 Account Exploit
Dear Michael P.,
Thank you for your prompt reply, though I am forced to disagree with your assessment of the situation. Those people who find a way to get passwords are not doing the same thing as before 1.10, at least not where top of the ladder contenders are concerned.
I purport that there is a method by which the automated password reset system can be compromised or have its communications otherwise intercepted to make a reset password available to a hacker. I say this not because I am particularly knowledgeable on the subject, but because that is the only method I can imagine that could result in my account being hacked.
I am not the only top ladder character on USEast to be hacked. Within recent days both *tj-reborntwo (TJ-Lsorc, #11 on the ladder) and *legolas-dude (VET-Yuna, #2 on the ladder) have been hacked. I find it highly improbable that so many top ladder characters could be so careless with their computers and accounts to all get hacked within such a short time span, especially since I am one of them, and I am careful beyond belief.
Talking with the people behind TJ-Lsorc and VET-Yuna and how you handled their cases, it is apparent that Blizzard doesn't care about Diablo 2 or its players any more. The gross incompetence shown here and the company's complete unwillingness to rectify its own screwup is unconscionable. But all I can do is rant and stress my belief that you should give even more to the community to which you have given so much.
Sincerely,
[Name Withheld]
*Callac
Callac
USEast
----
From: Callac@USEast
To: [email]michaelp.support@blizzard.com
Sent: Saturday, November 22, 2003 7:39 PM
Subject: Re: Diablo 2 Account Exploit
Dear Michael P.,
You have not yet responded to my last email (which I have included below), and already I am compelled to send another!
At 7:21 tonight, not 20 minutes ago, my account was hacked into again. My computer is utterly secure. My password was something other than it was before the first time I was hacked, and was just as unguessable.
Luckily I was in a channel when it happened, so whenever the hacker logged onto Callac, I was kicked from the channels and thus knew that something was amiss. I immediately relogged back on to Callac and sat him in a game, then got on to my second computer, which is equally as secure as my main one, and checked the password to my account, *Callac. It had been changed. I then immediately used the automated password reset system to have my password reset ... again.
I think now would be a good time for you to realize the painful truth. There clearly is an exploit in your password reset system, or some other problem with your authentication servers that makes it possible to compromise the security of any account!
My question is what in the Hell is Blizzard doing about it?
Sincerely pissed off,
[Name Withheld]
*Callac
Callac
USEast
----
From: michaelp.support@blizzard.com
To: [Email Withheld] Callac@USEast
Sent: Monday, November 24, 2003 12:40 PM
Subject: Re: Re: Diablo 2 Account Exploit
Hello again [Name Withheld]
The only way it could be intercepted is if they intercept your email (which is how we sent your passwords before also). You first have to log in with your password to change it. Which means a hacker must have your password to start. If you want to change your password to something else you can. A hacker would most likely change your password so they can do whatever it is they wanted with the account. When you try to log in you would get an invalid password.
Password retrieval is safer now than before. Once you click forgot password and go through the steps you will get a random password sent to your email (just as we did manually before). If the hacker tried to change email addresses it must first get a confirmation from your original email address (again they would have to have access to your
email account to do this). So the new process is faster (as you don’t have to wait for us to get to your email) and even more secure than in the past.
Being on the ladder does tend put a bullseye on you for hackers. Any time you are on the Internet you are at risk of running into a hacker who may want to hack your system; however, a hacker cannot use the Battle.net connection to accomplish this. Your IP address must be discovered, then a separate connection to your system would need to be established, and then whatever system security your OS is offering must be breached.
Check http://www.blizzard.com/support/?id=msi0504p for more information about Hacks, Warnings and Security Information.
If you are running any version of Windows, then I recommend checking out this link - ("http://www.microsoft.com/security") in order to find out the details about your system security.
Also, there are links to a few firewall programs and Trojan virus
detection at this link - ("http://www.blizzard.com/support/?id=msi0462p").
Regards,
Michael P.
Online Support
Blizzard Entertainment
----
----
Time and time again Blizzard refuses to read the writing on the wall, even when they are given ample warning of an impending disaster. How much longer do we have to take it?
Thanks for reading,
Callac, USEast
November 17th, at 6 o’clock in the AM, I emailed Blizzard with news of the exploit in their password recovery system. With absolutely no knowledge of how or why the hack worked I was able to deduce and determine with absolute precision where the flaw in their system lay.
They had fully one week to do something about it, to prevent the carnage that occurred last night from happening. I submit the following series of correspondences to show how much Blizzard really cares.
----
----
From: Callac@USEast
To: Online Support
Sent: 11/17/2003 6:02:45 AM
Subject: Diablo 2 Account Exploit
To whom it may concern,
I fear that there is now a new exploit, possibly involving the new automated password recovery system in 1.10. The reason for this is because when I tried logging on my account this morning, the password had been changed.
I used the automated recovery system to regain access to my account, and when I logged on my character, my Arkaine's Valor, Stormshield, upgraded Arreat's Face, and Annihilus charm were all gone.
The pattern of item removal is indicative of hackers moving through accounts quickly, looking for only quickly and easily identifiable uniques.
Let me state now that I do not expect my items back and am not emailing to request that you change the state of my character. I am merely concerned that this may happen again and again if the exploit is not discovered and fixed. If you cannot protect the integrity of battle.net for even your most dedicated players then I fear you may lose your fan base and credibility entirely.
My character was undoubtedly targeted because he is very high on the USEast ladder. He is level 95 and 7th on the overall ladder. He is the highest character on the ladder that is not a member of the infamous VET clan, and as a result is very visible and popular. Whenever I am on I get countless personal messages asking for advice, giving encouragement, and other comments.
Another motivation for believing the reason I got hacked lies in a flaw in your system and not one in mine is because my computer is completely secure. My system is always fully updated, has the most current antivirus client, is running a firewall, and could not possibly be running malicious software. I run a web based virus scan every night in addition to running the virus scan client on my computer. My computer has never once been compromised. Furthermore, my password is utterly unguessable, and I am the only person in the world that knows it.
Thank you for your time, and I would appreciate any further information you can give me concerning this problem.
Sincerely,
[Name Withheld]
*Callac
Callac
USEast
----
From: [email]michaelp.support@blizzard.com
To: Callac@USEast
Sent: Wednesday, November 19, 2003 8:18 PM
Subject: Re: Diablo 2 Account Exploit
Hello [Name Withheld]
The changing your password part really hasn't changed. Those people who find a way to get passwords are doing the same thing as before 1.10.
The only difference is in how easy it is for you to recover it (because of the email registration). I will forward your report to the appropriate people. While I cannot guarantee a response, I can assure you it will be read and addressed.
If you have any further questions or problems, please feel free to contact us at [email]support@blizzard.com.
Regards,
Michael P.
Online Support
Blizzard Entertainment
----
From: Callac@USEast
To: [email]michaelp.support@blizzard.com
Sent: 11/21/2003 9:30:23 PM
Subject: Re: Diablo 2 Account Exploit
Dear Michael P.,
Thank you for your prompt reply, though I am forced to disagree with your assessment of the situation. Those people who find a way to get passwords are not doing the same thing as before 1.10, at least not where top of the ladder contenders are concerned.
I purport that there is a method by which the automated password reset system can be compromised or have its communications otherwise intercepted to make a reset password available to a hacker. I say this not because I am particularly knowledgeable on the subject, but because that is the only method I can imagine that could result in my account being hacked.
I am not the only top ladder character on USEast to be hacked. Within recent days both *tj-reborntwo (TJ-Lsorc, #11 on the ladder) and *legolas-dude (VET-Yuna, #2 on the ladder) have been hacked. I find it highly improbable that so many top ladder characters could be so careless with their computers and accounts to all get hacked within such a short time span, especially since I am one of them, and I am careful beyond belief.
Talking with the people behind TJ-Lsorc and VET-Yuna and how you handled their cases, it is apparent that Blizzard doesn't care about Diablo 2 or its players any more. The gross incompetence shown here and the company's complete unwillingness to rectify its own screwup is unconscionable. But all I can do is rant and stress my belief that you should give even more to the community to which you have given so much.
Sincerely,
[Name Withheld]
*Callac
Callac
USEast
----
From: Callac@USEast
To: [email]michaelp.support@blizzard.com
Sent: Saturday, November 22, 2003 7:39 PM
Subject: Re: Diablo 2 Account Exploit
Dear Michael P.,
You have not yet responded to my last email (which I have included below), and already I am compelled to send another!
At 7:21 tonight, not 20 minutes ago, my account was hacked into again. My computer is utterly secure. My password was something other than it was before the first time I was hacked, and was just as unguessable.
Luckily I was in a channel when it happened, so whenever the hacker logged onto Callac, I was kicked from the channels and thus knew that something was amiss. I immediately relogged back on to Callac and sat him in a game, then got on to my second computer, which is equally as secure as my main one, and checked the password to my account, *Callac. It had been changed. I then immediately used the automated password reset system to have my password reset ... again.
I think now would be a good time for you to realize the painful truth. There clearly is an exploit in your password reset system, or some other problem with your authentication servers that makes it possible to compromise the security of any account!
My question is what in the Hell is Blizzard doing about it?
Sincerely pissed off,
[Name Withheld]
*Callac
Callac
USEast
----
From: michaelp.support@blizzard.com
To: [Email Withheld] Callac@USEast
Sent: Monday, November 24, 2003 12:40 PM
Subject: Re: Re: Diablo 2 Account Exploit
Hello again [Name Withheld]
The only way it could be intercepted is if they intercept your email (which is how we sent your passwords before also). You first have to log in with your password to change it. Which means a hacker must have your password to start. If you want to change your password to something else you can. A hacker would most likely change your password so they can do whatever it is they wanted with the account. When you try to log in you would get an invalid password.
Password retrieval is safer now than before. Once you click forgot password and go through the steps you will get a random password sent to your email (just as we did manually before). If the hacker tried to change email addresses it must first get a confirmation from your original email address (again they would have to have access to your
email account to do this). So the new process is faster (as you don’t have to wait for us to get to your email) and even more secure than in the past.
Being on the ladder does tend put a bullseye on you for hackers. Any time you are on the Internet you are at risk of running into a hacker who may want to hack your system; however, a hacker cannot use the Battle.net connection to accomplish this. Your IP address must be discovered, then a separate connection to your system would need to be established, and then whatever system security your OS is offering must be breached.
Check http://www.blizzard.com/support/?id=msi0504p for more information about Hacks, Warnings and Security Information.
If you are running any version of Windows, then I recommend checking out this link - ("http://www.microsoft.com/security") in order to find out the details about your system security.
Also, there are links to a few firewall programs and Trojan virus
detection at this link - ("http://www.blizzard.com/support/?id=msi0462p").
Regards,
Michael P.
Online Support
Blizzard Entertainment
----
----
Time and time again Blizzard refuses to read the writing on the wall, even when they are given ample warning of an impending disaster. How much longer do we have to take it?
Thanks for reading,
Callac, USEast