Urgent warning for Diablo III players

[Turbo164]

Rumor from another forum, unconfirmed by Blizz but confirmed by many players. Avoid joining public games or making your games open to the public:

I'm seeing enough noise about the rumored exploit:

Your Diablo 3 games can be hijacked. Don't play public games right now!! - The Something Awful Forums
Diablo 3 exploit allows session hijacking - Forums - Diablo III
[Gathering Information] Please respond to this thread if your account has been compromised with an authenticator. : Diablo

That I'm starting to suspect it may actually be real. For one thing, the reported details so far fit together pretty well to describe a fairly simple replay attack. Based on this, I think people should at a minimum take the mitigation steps people have described until it's been a few days and Blizzard has either taken clear action or vehemently stated that it's a misunderstanding:
Disable quick join
Don't let people you don't know into your games
Don't play in public games
For those who want to call CENSORED, feel free. Here is my theory based on the rumors and posts so far, along with the accounts from people who've been hacked:

When you log into D3 you get a session ID (after entering your password and authenticator code and going through the auth servers). This ID stays valid as long as you are logged in (which is why you can access the Auction House and your friends list even if you're not currently in a game.) If this is the only unique identifier for your session (i.e. there is not a private, client-only element to it), it is possible that the session ID is being used when you interact with other players (for example, the session ID would be all you'd need in order to Quick Join someone's game or party, instead of a playerid+game combo, etc).

Under normal circumstances, a session ID would not only be unique to you, but would be otherwise tied to your login - IP address, machine identifier, etc. However, it is extremely possible to circumvent simple restrictions like this. Given that The Diablo 3 Game Protocol was figured out already, it is possible that people with malicious intent have software that is able to manually synthesize packets with your session ID and send them to the game server, perhaps even with a forged IP address. This would allow them to potentially boot you from the game (giving them unhindered access to your session), interact with the auction house, control your character if it is currently in a game (accessing your stash and inventory), or even enter new games or delete your character. They would also be able to add friends to your list (allowing them to abuse quick join) or enter your friends' games to get their session IDs. Doing all this would not even require interacting with the game client if they know the game protocol well enough.

As far as the claimed workaround of logging back in immediately goes, it's possible that would expire your previous session IDs, booting the hacker out and letting you back in, but if this is actually a replay attack I wouldn't count on Blizzard having been competent enough to expire sessions.

Also, to be clear, I believe this exploit would allow people to compromise entire friend networks by leveraging a single compromised account to Quick Join other games and get more session IDs. This is why I am saying to turn off Quick Join.

... (later)

Yeah, I would be shocked also if it actually turned out to be the case. On the other hand, this exact kind of bug has afflicted many big-name game titles and websites in the past - session fixation and replay attacks catch people unaware all the time.

The Bashiok post either means there's no session attack or that they've yet to do the investigation necessary to confirm that there's no attack. Unfortunately, the way he worded it, it could be either (I'm hoping it's the former, but I'm still keeping Quick Join turned off)

Moderator's Note: Edited quote due to profanity

 

[Neirai the Forgiven]

Rumor from another forum, unconfirmed by Blizz but confirmed by many players. Avoid joining public games or making your games open to the public:

Or, use an authenticator. Just sayin'


I know authenticators aren't free (unless you have the right kind of phone,) but they do help a lot.

 

[RiverTigress]

If you can't get an authenticator immediately, lengthening your password may help add some protection. There is a problem now verified on Blizzard's end (http://www.cgalliance.org/forums/showpost.php?p=454095&postcount=18) so it's not all just client error.