I spent 3 days looking into a hack that has been allowing people to buy items on the RMAH for much less than their worth. I'd love to see some discussion around this topic!
The Diablo 3 RMAH is making people a lot of money, but none so much as the common hacker. A relatively simple exploit was uncovered in the last few days which have allowed enterprising exploiters the world around to purchase expensive items on the auction house for peanuts, harming legitimate users in the process. We have left some technical details intentionally vague.
It works quite simply, within Diablo 3 you can put items up for auction with either a buyout, or a flat bid system. The hack will then allow people to buyout an item for the value of its bid, which is quite frequently much much lower than the worth of the item. ‘The hack is very easy to replicate’says one of the hackers ‘it’s just a matter of switching values within the client, tricking it into thinking there is a buyout when there is none there’
Over the course of four hours, I spoke to five different people who were using the exploit, two of which who confirmed it to me via streaming video. Every single person who had used it had made over $2,000 to themselves, in addition to the money they had already made from the RMAH before using the hack.
A few had stated they got the exploit working on the gold auction house, allowing them to bypass Blizzards review period for transactions. With the price of gold within Diablo 3 already at Blizzards artificial minimum of $2.5 per million, and externally at trading sites like playerauctions at $1.7 per million, they’re able to easily turn that gold into $$ minutes after purchasing the items.
Since starting to investigate this exploit over 24 hours ago, various sites have been reporting on it and public methods have been made available, increasing the overall number of people using this exploit, and the loss in income, gold or otherwise, that legitimate Diablo 3 users are experiencing when an exploiter buys their item for its current bid.
Blizzard are no doubt aware of the issue, however there is no notice as to when it would be fixed, and people complaining about it have been left without a blue post confirming there is an issue… considered Blizzard’s standard operating procedure when dealing with something that could potentially give them a loss in income. Will there be refunds? No. Will people get any kind of compensation? No. Will exploiters still have profited? Absolutely.
For now, please be aware that putting an item up for bid with no buyout will leave you vulnerable to this particular exploit. Hopefully this is due to be hotfixed soon.
There's a big difference in the time thing which was scripted where it was SUPPOSED to be doing that (probably an oversight from testing that wasn't changed) and then this.
You can't "fool" the server into thinking anything. Because the server will check it's records first and foremost. Anything you try to do will be delivered to the server, the server will check to see if it's correct, and then send permission to allow it.
You can change client side data to make it appear like you have more gold. Or maybe even that the buyout on an item is higher than it should be, but you can't change the actual server data.
So if you witnessed it with your own eyes that's more likely. Someone changed the value to show falsely that the buyout was higher in order to trick you into thinking what you saw was genuine.
Ah well, atleast Activision-Blizzard being the excellent and customer friendly company that it is, surely it reimbursed all those who lost gold or even real life money due to a bug within there system... Oh look a flying pig
I stopped at the point when the "hacker" tried to tell me that changes in your client can affect the server.
Maybe he didn't state it correctly, but the whole "buyout for bid price" is real.
Also, please remember the local system clock + cancel auction issue. The auction house isn't exactly an example of good/proper programming.
The local system clock thing is exactly what I'm looking at.
The system clock made your client believe your Auction still has 5 minutes to cancel, but you don't actually get the item, since the info is on the server. All the client does is simulate what happens and then the servers works out if that's indeed the case.
When the server figures out what you've done it deletes the item as it's simply just an icon in your client and not the actual item that is located on the server.
I stopped at the point when the "hacker" tried to tell me that changes in your client can affect the server.
Also no offense meant to you, seeing as you wrote the article.
I didn't want to go into too much detail because I don't like people potentially reproducing it themselves or attempting to, considering its base maliciousness.
None taken Just quoting what was said at me, whether what was said was real or not, I have nfi, I did however get to see it live in action from two seperate people, and it was scary easy to pull off.
I was merely using that as an example that you can expect stuff like this.
I would link you the thread, but it's in the private sections of the sites I frequent and I doubt that type of site would be allowed to be linked here to begin with. It only works on items with no buyout though, so pretty easy to not be affected by it.
Edit: I'm not even completely sure if it still works right this moment, but it worked in the past few days.
I stopped at the point when the "hacker" tried to tell me that changes in your client can affect the server.
Also no offense meant to you, seeing as you wrote the article.
I didn't want to go into too much detail because I don't like people potentially reproducing it themselves or attempting to, considering its base maliciousness.
None taken Just quoting what was said at me, whether what was said was real or not, I have nfi, I did however get to see it live in action from two seperate people, and it was scary easy to pull off.
Curious. When you saw it happen live, did the guys then take the item, put it in their inventories, reload the game and have it in their inventories still?
There's a big difference in the time thing which was scripted where it was SUPPOSED to be doing that (probably an oversight from testing that wasn't changed) and then this.
You can't "fool" the server into thinking anything. Because the server will check it's records first and foremost. Anything you try to do will be delivered to the server, the server will check to see if it's correct, and then send permission to allow it.
You can change client side data to make it appear like you have more gold. Or maybe even that the buyout on an item is higher than it should be, but you can't change the actual server data.
So if you witnessed it with your own eyes that's more likely. Someone changed the value to show falsely that the buyout was higher in order to trick you into thinking what you saw was genuine.
I'm sorry, but I don't believe this for an instant, and I'll tell you why.
The reason I started on a search for this exploit was because there were a large majority of people in Blizzards support forum stating that items they had put up for bid were being sold to people for the bid amount, and ending the auction early. I went from there and took a look at all the local sites related to such nefarious deeds and found quite quickly that there was something to what people were saying.
While idling in the chat on one of these places, I discovered someone who had posted a rough method. This method wasn't entirely accurate, but it was enough that people could tweak and fiddle and get it to work. An hour later, his post was deleted, he had logged off, and his pastebin was also removed. I reposted the data, only to have that quickly deleted also... it was at that point that I knew I had something.
I spoke to a lot of people who stated they had this working. They showed me it working in a live demonstration. They showed me their paypals, they showed me the item in game, they showed me everything. You're saying it can't be done, I've seen it with my own eyes. If I'm known for anything in the journalism circuit it's that one thing with the email list that is embarassing to talk about, but the second thing is my Investigative Journalism skills.
I was merely using that as an example that you can expect stuff like this.
I would link you the thread, but it's in the private sections of the sites I frequent and I doubt that type of site would be allowed to be linked here to begin with. It only works on items with no buyout though, so pretty easy to not be affected by it.
Edit: I'm not even completely sure if it still works right this moment, but it worked in the past few days.
If it only works in those cases it sounds more like the clock changing thing but the server won't actually send the item when it checks to see if the data is correct.
There is almost 0% chance that a company could forget something like server side checks nowadays. That's how we see every kind of hack so it's the first thing you don't allow is data from clients to just freely do what it wants on the server. That's like, Online Gaming 101. If somehow this was actually possible and Blizzard missed something like that my brain would explode, especially since I'm sure they'd know from WoW how that works.
If it's legit we'd be seeing tons of posts and videos about it.
Now that it's been explained more it sounds like someone trying to fool the clock again to think the auction has ended so your bid would win, which in some weird circumstance for whatever reason MIGHT send out messages that the bid was lost and it's gone now, maybe for some outlandish reason it would send the messages before it checks, but there is no realistic way the server is going to say "Fine yeah, send the item.".
Curious. When you saw it happen live, did the guys then take the item, put it in their inventories, reload the game and have it in their inventories still?
I saw them relist the item on the AH, I saw the item get sold quickly, I saw the Completed Tab light up with an amount in review and the email they had gotten from blizzard stating the item had been sold and was in review. I saw their completed tab history of the same item being purchased-buyout for peanuts and then resold, without the little red ! stating it was still in review.
EDIT for coherence:
Basically their completed tab was like this:
Item x sold
Item x purchased-buyout
Item w sold
Item v sold
Item w purchased - buyout
Item u sold
Item v purchased - buyout
Item u purchased - buyout
There was pages and pages and pages like this. We're not talking like 10 items, we're talking like hundreds, and a paypal history that matched the amounts.
If it's legit we'd be seeing tons of posts and videos about it.
Why would people making loads of money doing something illegal post videos about it. It's not until it gets to the stage that the populace can get their hands on it easily that such videos are made, and this isn't as simple as changing a system clock.
Every single one of the people I spoke to wouldn't share the method, and why the hell would they? I had to PAY people just to get them to show me they had it working and functional. I had posts removed from two places with posts related to this, because of admins trying to hide the hack from knowledge. It might not be enough proof for you, but it is for me.
If it only works in those cases it sounds more like the clock changing thing but the server won't actually send the item when it checks to see if the data is correct.
I haven't seen it in videos, but I've seen before and after screenshots with them having the items. Obviously this isn't very good proof, but I figured I'd add it since the OP said he's seen videos of it. Also on ownedcore (edit this out if you want since you're a mod) it was moved to the elite section pretty fast. The thread there was titled "possible rmah exploit buying items minimum bid."
If it's legit we'd be seeing tons of posts and videos about it.
With how much money there is to be made from it?
I would imagine the only reason it would even be mentioned in public would be because of people that are the victims complaining about it. There are legit WoW dupes too, but I know I couldn't find a legit video of one in action if my life depended on it.
Edit: Also, I'm not 100% sure about this, but I believe the auctions being stuck at 0 gold bids was related to this.
Edit Edit: Ha, Bane.
I had to PAY people just to get them to show me they had it working and functional.
I see your post saying you'll pay $50 on one of the forums I frequent. Didn't add 2 and 2 together until you posted this.
Well people may be making tons of money but that doesn't keep people from talking about methods either. If this was actually what was causing the auction ending early problem we've seen for... weeks if not months, it'd be out there already.
Hacks and exploits always get out and found about quickly if they're real because loose lips sink ships as the old saying goes.
Hacks and exploits always get out and found about quickly if they're real because loose lips sink ships as the old saying goes.
That's exactly why I used the WoW dupes as an example in my last post. (this is a D3 forum, I know!) And what about private dupes in D2? Those didn't all become public (right away). Pretty similarly there are very private bots/hacks/tools that are kept that way to lessen the chance of being detected. Sharing is cool and all, but not everyone believes in it.
People usually are a little less willing to part with their money making secrets. Though that doesn't stop them from bragging about how much money they are making and their victims complaining.
Edit: And yeah, I know talking about "mysterious, private" bots/hacks/exploits without a source makes me sound like a less than credible poster, but I can live with that.
Well people may be making tons of money but that doesn't keep people from talking about methods either. If this was actually what was causing the auction ending early problem we've seen for... weeks if not months, it'd be out there already.
Hacks and exploits always get out and found about quickly if they're real because loose lips sink ships as the old saying goes.
And it did get out. Originally it was quiet, no one knew about it, then people started complaining on Blizz forums. Then people started posting on certain 'communities' about it, then people started explaining how the method could work, then guides were written on donator forums. Trust me, I know how information spreads, and this has spread, go research it for yourself
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
Also no offense meant to you, seeing as you wrote the article.
Maybe he didn't state it correctly, but the whole "buyout for bid price" is real.
Also, please remember the local system clock + cancel auction issue. The auction house isn't exactly an example of good/proper programming.
You can't "fool" the server into thinking anything. Because the server will check it's records first and foremost. Anything you try to do will be delivered to the server, the server will check to see if it's correct, and then send permission to allow it.
You can change client side data to make it appear like you have more gold. Or maybe even that the buyout on an item is higher than it should be, but you can't change the actual server data.
So if you witnessed it with your own eyes that's more likely. Someone changed the value to show falsely that the buyout was higher in order to trick you into thinking what you saw was genuine.
Ah well, atleast Activision-Blizzard being the excellent and customer friendly company that it is, surely it reimbursed all those who lost gold or even real life money due to a bug within there system... Oh look a flying pig
The system clock made your client believe your Auction still has 5 minutes to cancel, but you don't actually get the item, since the info is on the server. All the client does is simulate what happens and then the servers works out if that's indeed the case.
When the server figures out what you've done it deletes the item as it's simply just an icon in your client and not the actual item that is located on the server.
Ha. Bagstone.
I didn't want to go into too much detail because I don't like people potentially reproducing it themselves or attempting to, considering its base maliciousness.
None taken Just quoting what was said at me, whether what was said was real or not, I have nfi, I did however get to see it live in action from two seperate people, and it was scary easy to pull off.
I would link you the thread, but it's in the private sections of the sites I frequent and I doubt that type of site would be allowed to be linked here to begin with. It only works on items with no buyout though, so pretty easy to not be affected by it.
Edit: I'm not even completely sure if it still works right this moment, but it worked in the past few days.
Ha. Bagstone.
I'm sorry, but I don't believe this for an instant, and I'll tell you why.
The reason I started on a search for this exploit was because there were a large majority of people in Blizzards support forum stating that items they had put up for bid were being sold to people for the bid amount, and ending the auction early. I went from there and took a look at all the local sites related to such nefarious deeds and found quite quickly that there was something to what people were saying.
While idling in the chat on one of these places, I discovered someone who had posted a rough method. This method wasn't entirely accurate, but it was enough that people could tweak and fiddle and get it to work. An hour later, his post was deleted, he had logged off, and his pastebin was also removed. I reposted the data, only to have that quickly deleted also... it was at that point that I knew I had something.
I spoke to a lot of people who stated they had this working. They showed me it working in a live demonstration. They showed me their paypals, they showed me the item in game, they showed me everything. You're saying it can't be done, I've seen it with my own eyes. If I'm known for anything in the journalism circuit it's that one thing with the email list that is embarassing to talk about, but the second thing is my Investigative Journalism skills.
You say this can't work. I say you're wrong.
If it only works in those cases it sounds more like the clock changing thing but the server won't actually send the item when it checks to see if the data is correct.
There is almost 0% chance that a company could forget something like server side checks nowadays. That's how we see every kind of hack so it's the first thing you don't allow is data from clients to just freely do what it wants on the server. That's like, Online Gaming 101. If somehow this was actually possible and Blizzard missed something like that my brain would explode, especially since I'm sure they'd know from WoW how that works.
If it's legit we'd be seeing tons of posts and videos about it.
Now that it's been explained more it sounds like someone trying to fool the clock again to think the auction has ended so your bid would win, which in some weird circumstance for whatever reason MIGHT send out messages that the bid was lost and it's gone now, maybe for some outlandish reason it would send the messages before it checks, but there is no realistic way the server is going to say "Fine yeah, send the item.".
I saw them relist the item on the AH, I saw the item get sold quickly, I saw the Completed Tab light up with an amount in review and the email they had gotten from blizzard stating the item had been sold and was in review. I saw their completed tab history of the same item being purchased-buyout for peanuts and then resold, without the little red ! stating it was still in review.
EDIT for coherence:
Basically their completed tab was like this:
Item x sold
Item x purchased-buyout
Item w sold
Item v sold
Item w purchased - buyout
Item u sold
Item v purchased - buyout
Item u purchased - buyout
There was pages and pages and pages like this. We're not talking like 10 items, we're talking like hundreds, and a paypal history that matched the amounts.
Why would people making loads of money doing something illegal post videos about it. It's not until it gets to the stage that the populace can get their hands on it easily that such videos are made, and this isn't as simple as changing a system clock.
Every single one of the people I spoke to wouldn't share the method, and why the hell would they? I had to PAY people just to get them to show me they had it working and functional. I had posts removed from two places with posts related to this, because of admins trying to hide the hack from knowledge. It might not be enough proof for you, but it is for me.
I haven't seen it in videos, but I've seen before and after screenshots with them having the items. Obviously this isn't very good proof, but I figured I'd add it since the OP said he's seen videos of it. Also on ownedcore (edit this out if you want since you're a mod) it was moved to the elite section pretty fast. The thread there was titled "possible rmah exploit buying items minimum bid."
I know it's vastly different, but I would expect a server side check on something like cancelling your auctions, too.
With how much money there is to be made from it?
I would imagine the only reason it would even be mentioned in public would be because of people that are the victims complaining about it. There are legit WoW dupes too, but I know I couldn't find a legit video of one in action if my life depended on it.
Edit: Also, I'm not 100% sure about this, but I believe the auctions being stuck at 0 gold bids was related to this.
Edit Edit: Ha, Bane.
I see your post saying you'll pay $50 on one of the forums I frequent. Didn't add 2 and 2 together until you posted this.
This made me laugh, heartily and hard.
Hacks and exploits always get out and found about quickly if they're real because loose lips sink ships as the old saying goes.
That's exactly why I used the WoW dupes as an example in my last post. (this is a D3 forum, I know!) And what about private dupes in D2? Those didn't all become public (right away). Pretty similarly there are very private bots/hacks/tools that are kept that way to lessen the chance of being detected. Sharing is cool and all, but not everyone believes in it.
People usually are a little less willing to part with their money making secrets. Though that doesn't stop them from bragging about how much money they are making and their victims complaining.
Edit: And yeah, I know talking about "mysterious, private" bots/hacks/exploits without a source makes me sound like a less than credible poster, but I can live with that.
And it did get out. Originally it was quiet, no one knew about it, then people started complaining on Blizz forums. Then people started posting on certain 'communities' about it, then people started explaining how the method could work, then guides were written on donator forums. Trust me, I know how information spreads, and this has spread, go research it for yourself