Diablo 3 Session Spoofing Is Real; Do Not Join Public Games

We recently warned gamers about an article on the Joystiq WoW Insider page saying that public Diablo III games were safe; that session spoofing is fake and that it's just Chinese gold farmers spreading propaganda. Well, another user actually tested session spoofing and gives a complete rundown on how to protect yourself.

We've come across many gamers on forums, websites and news post saying that after joining a public game or leaving their game open to the public while playing Diablo III online they had their accounts wiped clean and a select number of the same names were on their friends list. Well, it turns out there is a theoretical hack methodology that connects the paranoia of joining a public game and the "man in the middle" session spoofing conspiracy theories.

Forbes recently ran an article about gamers needing to take responsibility and speak up against Blizzard, as well as Blizzard needing to take responsibility and openly talk to consumers about what's happening with account infiltration. A nifty user in the comment section of the article actually provided a very logical explanation of imitating session spoofing (something anyone with the will and know-how can do) and explains the following...

Buy two games, get two accounts, join both in game, open trade screen and then inspect packets. Some interesting stuff in there to use to spoof with, not very well secured at all.Now, to be honest I still don’t know what they are using script wise to allow spoofed ID sessions to login or supersede a current session.Maybe with the lag inherent in blizzard servers they treat minor disconnects as lag allowing the stolen session to supersede the current session. But we don’t know any of this since its a company secret. All I know from playing years of blizzard online games. It takes a lot to actually get a disconnect.

Now let's be clear, this guy is saying session spoofing or "man in the middle" attacks are possible. The WoW Insider article pointed to a forum thread where Blizzard has been feverously denying that anything other than consumer negligence is the cause of infiltrated accounts. This is not the case, however, and in personal back-and-forth communication with consumers, Blizzard's support staff has admitted that they do not know how some accounts have been infiltrated. If all account compromises were via "traditional means" the support staff would not be baffled about the ways in which accounts are being attacked.

Let's get another thing perfectly clear: Everything Blizzard says will be about protecting the resources of the company. There is a possibility of earning billions from the Real-Money Auction House. That is a fact. Blizzard will do any and everything within their power to downplay the severity of the situation, even if it means denying account infiltration techniques that are possibly being used to compromise accounts. This is the number one thing mentioned in the top misconceptions about the gaming industry.

Anyways, the user goes on to further explain how the spoofing takes place, mentioning that...

Technically they are not breaching servers. They are using stolen sessions. What ActiBlizz did not do well was use rotating session ID’s in the game. The actually might be fixing this as we speak. But they would never say anything about this, any company would deny deny deny. I would deny as well, reason being; is to fix it before it gets out of control and not to tell everyone how it was done.This does not mean they can get to your account information, all they can do is get to your last toon you logged into. ...Any active net connection relies on session keys. Websites rely on cookies(another form of session key).

Let's recount now, Blizzard has said that session spoofing was highly improbable many times on the forum, including this thread here, as well as to sites like JoyStiq. They mention that performing "man in the middle attacks" is highly complex. They refer to traditional means of account infiltration as the most viable way to lose access to your account, pinning the blame on users. This video here aims to reiterate what Blizzard says, which documents the way Chinese gold farmers get a hold of gamer's accounts via traditional means. However that's not entirely what's happening in this case.

The user Vaudevillian, who tested the session spoofing capabilities on Blizzard's Battle.net, lays out the following details...

After looking at the packets myself, I did a test to see what was happening.I used my second account got the toon up to level 50, removed all his good gear and traded over to my other account. I then put crap on him and left him with 500 gold. I then start playing act 1 hell in public games. I got the toon up to level 52 a day and a half later. Some dude joins my game, opens a trade screen says "biy o k". The bate was set and the hook cast. I Log my other account in on another computer trade the new loot off of him except some minimal stuff and 5000 gold.Just as I finished transfering, my account logs itself out. A few seconds later I see it log in under my friends list. I did not log it back in. (Again to be honest my second account does not have an authenticator so I don’t know if it would stop session ID spoofing and I wont test it with my good account. I use the second account as a mule.) After I see my account log out, to be on the safe side I changed the password. I logged back in and my toon was stripped bare.Just a note I put an old computer back together and did a fresh install of win 7 and only put Diablo 3 on the computer. I don’t use it for anything else. It has never visited any website and does not have any email.

Bam. Now that's some excellent information right there. The "buy account" quote was also ironically reiterated to the writer of Eurogamer when he logged in and found out that his account had been hijacked.

As mentioned before, DO NOT JOIN PUBLIC GAMES.

I cannot stress that above sentiment enough.

There are also names you should look out for and avoid at all costs when playing Diablo III, even if you do have an authenticator: “leyiong”, “Nevin”, “SBJunkie”, “luckllezz”, “McLeast”.

As for people who feel safe with an authenticator, take note that Examiner Mark Casino was hacked even though he was using one, so exercise extreme caution when playing Diablo III.

Now is it possible that the above guy is lying about his session spoof testing? It's possible. Is it possible Examiner Mark Casino didn't have the right authenticator? It's possible. However, let's take into account that the information provided actually makes sense, and ties into why people have been mysteriously losing access to their accounts and Blizzard has not been able to properly track the intrusions (it also makes sense because Blizzard won't make the information public, even though it would help protect consumers from becoming potential hack victims).

Blizzard has also been deleting threads on the forums from users claiming to have been hacked while using an authenticator, I'd point to some threads but they're deleted. The reasoning is that the support staff felt people claiming they were hacked while using an authenticator were spreading misinformation and were working with Chinese gold farmers to keep people paranoid and away from using authenticators. There's no telling how true that really is. Alternatively, it could be Blizzard's way of preventing people from seeing that a large majority of hack claims also have authenticators attached to their accounts, even though Blizzard says they have yet to investigate a case where someone had an authenticator attached.

Regardless, get an authenticator just to be sure (the mobile version is free). Change your password frequently and please do not play in public games or leave your game open for the public.

With the real-money auction house opening soon it's imperative to practice safe playing habits because there's a real possibility that users could be losing more than just virtual items and goods.

(Update: Blizzard replied to the article and says that public games are safe.)

Will Usher

Staff Writer at CinemaBlend.