h2. Target Blizzard's broken implementation of SHA-1 (hereafter referred to as XSHA-1), used in Starcraft, Diablo 2, and Warcraft 2. Its weakness has been publically known for years. [1] It is used for secure transmission of passwords, CD keys, and probably intra-server data that must pass through the client. It is also used by the Warden anti-cheat system. XSHA-1 was reverse engineered years ago, and by now there are dozens of different public implementations floating around. Channel admin bots, chat clients, game bots, and emulated servers all have use it. Implementations can be found in C, Basic dialects, C#, Java, and Python. h2. Motivation There is a very active, and very secretive hacking industry surrounding Diablo 2. Virtual item sale profits drive it, and keep it secretive. The industry is full of mysteries. One of them, is the proliferation of cheap CD keys. Explanations for their existance range from oversea sales, to botnet harvests, to the key generation algorithm being broken. A possibility I'd like to raise, is their theft by traffic sniffing. If the XSHA-1 hash can be reversed, intercepted Diablo 2 traffic will yield CD keys. Net cafes, campus networks, unsecure WiFi, and Diablo proxy services become risks. Proxy services in particular - they're reasonably popular among players due to some annoying game mechanics, and if their hosts are stealing keys we'd be none the wiser. The industry is very secretive, and posesses a mind-boggling level of skill and knowledge. Being the first to do something is difficult to impossible, so I am probably walking in the footsteps of giants without knowing. Some of those giants may have run proxy services in the past... h2. Responsible Disclosure The games affected no longer bring in money. Blizzard's update policy has been extremely minimal. [2] Exploit patches are reserved for things affecting server stability, and can be halfassed. [3] Furthermore, Blizzard's integrity when dealing with potentially profitable exploits has been called in question. [4] [5] Furthermore, the weakness is far from news. It's been reported before at least once [6] and probably far more in private. The process for reporting exploits is known to be extremely ineffective, so it's likely that the weakness was reported and overlooked/ignored repeatedly. Furthermore, none of the currently visible applications hurt Blizzard directly. They don't enable piracy, just plain old account and item theft from players. If my suspicion of this area already being well-explored in private is true, that's unfortunate. With all that in mind, I see public awareness of the risks involved in playing these games on unsecured connections as outweighing the risk of this being something new. fn1. http://uninformed.org/index.cgi?v=2&a=1&p=9 fn2. http://jesse.forthewin.com/blog/2009/12/blizzard-launches-diablo-2-v133-patience-test-realm.html fn3. If I find a source discussing the lag dupe and its fix, I'll post it. fn4. www.reddit.com/r/gaming/comments/kswg6/exposed_certain_blizzard_employees_have_been/ fn5. http://jesse.forthewin.com/blog/2011/09/blizzard-insider-profiting-from-diablo-2-exploits.html