Nasty Auction House Exploit

There has been a nasty auction house exploit doing the rounds today and I have held off posting about it assuming that it would be sorted pretty quickly. Last time I looked into this which was a few hours ago there was still a problem so I thought I had better bring this to your attention as TJP over at the AB confirmed it was still active quite recently.Blizzard shut down the original thread about this on the official boards pretty quickly this afternoon.

With some crafty HEX editing, some people have managed to mess with the auction house UI and system time to enable them to get hold of an item for the starting value and not the buyout value by switching the buttons around. Not having tested this myself, I am not quite sure if it has been fixed now, but it is real and it is a rather nasty exploit. I hope it’s sorted now because it has been doing the rounds for well over half a day.

Related to this article
  • Diablo 3 Leaderboard removals and suspensions dished out
  • Blizzard share their Philosophy on combating Diablo 3 Exploits
  • Legendary Gem Exploiters Apparently Rolling back Blizzard’s Rollback

  • You're not logged in. Register or login to post a comment.

    51 thoughts on “Nasty Auction House Exploit

    1. ok, if that’s true, then somebody at Blizzard needs to be fired

      who is responsible for designing the AH this way ?
      for designing the client/server this way ?
      for doing programming this way ?
      and for overseeing and doing code reviews ?

      seriously ? Hex editing and moving buttons around ? !

      • Oh look the guy who trolls all is reacting first.

        Session spoofing wasn’t true, in fact it was a big fat lie.

        Blizzard responsible for your PC security was a big fat lie too.

        Now you are in here screaming again.

        Without proof.

        I wonder what is the meaning of your life ?

        Blizzard controls the servers. No problem, they can trace it all.

        What do you think you are son ?

        • well, I’m smarter than you
          that’s for sure

          did I report the exploit ?

          did I write the news story on the front page ?

          so what is this nonsense you’re saying about me screaming without proof ?

          or perhaps you were referring to Rushster ?
          because he is the one who reported and wrote the story
          or perhaps you were referring to the people at the Amazon Basin who confirmed the exploit ?

          now, just in case you were referring to me, did you not see where I said, “IF that’s true”

          one more time, because I can tell you have a reading comprehension problem, “IF that’s true”

          so I’m not screaming without proof,. I’m saying “IF”

          and I don’t know why you call me a troll
          it’s pretty obvious you don’t know the meaning of the word

          now, since you wondered about the meaning of my life, I’ll tell you

          its to point out the illogical arguments of people
          and I’m pretty good at it
          especially when people like you make it so easy

          now, a few questions for you

          do you really believe that kind of design/coding mistake is ok ?
          especially in a company like Blizzard ?
          especially with something like the AH that has to maintain the consumer’s trust ?

          You certainly seem to think its ok, you say ,”No problem, they can trace it all”

          You really don’t see a problem ?
          The AH is the way Blizzard makes money. Its the way to keep people interested and playing the game.
          Once players lose confidence in the fairness and security of the AH don’t you think they’ll be wary of using it ?
          You really don’t see that as a problem ?

          If you do disagree the person(s) responsible should be fired, and IF that exploit is true, then what should happen to the people responsible ?

          • No proof was delivered.

            You shoot innocent people.

            Neither was there any proof of session spoofing and breaching Blizzard account security.

            Both times you jumped the gun too quickly.

            I don’t think you’re smart: you are just anxious to piss on Blizzard for whatever reason at whatever occasion.

            • “you are just anxious to piss on Blizzard for whatever reason at whatever occasion.”

              when Blizzard announced no skill points I came on here and said it was a great idea, innovative and that if Torchlight 2 kept skill points it would make them seem ancient and using outdated mechanics

              when they announced arena PvP and getting rid of “hostile” I jumped for joy and posted on here that I thought it was a great move and vastly increase the number of players interested in PvP

              I still think the PvP patch will bring back many of the players who have left the game

              but you’re correct that I will piss on Blizzard, but only when they deserve it

              let’s say I went to an ATM (Automatic Teller Machine) at a bank
              I want to withdraw some money from my account
              the screen display 3 buttons
              1) $20
              2) $100
              3) some other amount

              I, somehow, rearrange the buttons so that its
              1) $100
              2) $20
              3) some other amount

              then I press button (1)
              the machine gives me $100 but only subtracts 20 from my account

              that’s basically what they’re saying is happening

              like Nathan posted below, IF this is true then “This is mindblowingly niave, like freshman undergrad computer science niave. It completely boggles the mind how the architecture was built this way.”

      • On the notion that somebody should be fired over this:

        It requires some serious out-of-the box thinking to even arrive at the notion that something like this is possible. You shouldn’t expect a coder to have thought of this specific circumstance (or whatever circumstance it actually is) and made sure it can’t happen. Would you want the same standards placed on your work?

        • Holy shit. You must not be a programmer. In this case, the server has been built to trust the client on whether the timestamp (!!) and the transaction (!!) are valid. This is mindblowingly niave, like freshman undergrad computer science niave. It completely boggles the mind how the architecture was built this way. Especially when dealing with *real money*. It means so many failure modes have happened at Blizzard, it’s astonishing. They have junior developers working on real money systems with out the supervision or review of a senior architect. This isn’t about the code written that controls the buttons… this is about the code that controls the REAL MONEY transactions in their REAL MONEY system.

          Yes, real people should be fired.

          • Let me put it another way. I walk up to the counter at Best Buy and tell the clerk “Hi! I’m going to buy this tv for $1.” The clerk, rather than scanning the item and checking whether or not the TV is actually priced for $1, instead ASKS ME “Oh ok, so is it ok that I sell you this for a $1?” I, of course, say yes, the clerk takes my dollar, and I walk away gleefully, having successfully just stolen a TV.


          • What, you mean Blizzard’s coders were smart.

            Are we talking about the same coders that used client side time for auction listings – the same people that let us cancel our auctions if we rolled back the clock on our computer.

            No, Blizzard’s coders are far from brilliant. I’m not at all surprised that this happened.

            • @a bunch of people apparently

              *sigh* well I’m glad you hot-heads aren’t the ones making decisions over there. And I’m also glad that you don’t make mistakes in whatever your job is.

              I will say that being the one who is potentially affected, you do have every right to be mad.

      • Dude you guys need to chill.
        Blizzard doesn’t have much experience with Auction House systems.

    2. I wasn’t against the online-only DRM until I considered that offline play also gave people (who want to) a chance to screw royally with the game code quarantined away from the official online version.

      • Online only DRM means shit to anyone who wants to cheat. If a person wants it bad enough they are gonna do it the only thing DRM did was slow them down a month or two.

        • Just imagine what would have happened if Blizzard would have distributed a full off line playable version in a TRADING PC game ?

          1. Diablo 3 would be hacked and distributed on every copy site a few days before the official launch.
          2. The game would have been unplayable at all since every item would be hacked,
          3. The illegal trading of duped items would have been totally out of control.
          4. Every official player would stop playing within 3 days as everyone would have the best possible gear by just downloading the hacks.
          By making D3 server controlled Blizzard can control these things much better and fix them when some lunatic could find an exploit.

          On line is not DRM. In fact Drm required an original disk in your system and internet check ups.

          Diablo3 is simply an on line [email protected] and trading game just like 10.000’s of web browser, I Pad and PvP internet game.

          Only this time Blizzard can fight these mechanics because they control the systems in the end.

          Every 8 year old would understand the above. But apparently the Diablo community is not up to this logic yet.

          • > 1. Diablo 3 would be hacked and distributed on every copy site a few days before the official launch.

            True, but people still would have bought it so that they could play on Just like they bought D2.

            > 2. The game would have been unplayable at all since every item would be hacked,

            Yes, a couple exploits that allowed the hacking of items were found for D2. These exploits *never* went public. They were not found (or at least were not used in a noticeable way) until 1.09. That leaves all of D2C, and all of 1.10 without ‘hacked’ items. So yeah, D2 was pretty broken for ~2/12 years it was around. There’s no guarantee that we won’t see such exploits for D3. Online only makes finding such exploits a little harder, it doesn’t actually make them not exist.

            > 3. The illegal trading of duped items would have been totally out of control.

            See the last sentence above.

            > 4. Every official player would stop playing within 3 days as everyone would have the best possible gear by just downloading the hacks

            Because that totally happened in D2.

            > Only this time Blizzard can fight these mechanics because they control the systems in the end.

            They “control the systems,” whatever that means, in D2. D2 is just poorly coded. It seems that D3 is equally poorly coded.

    3. I have noticed a few of my items selling for less than the buyout price -15%. This could explain that. It’s an easy fix on Blizzard’s end since HEX is such an ancient method.

      Even if Blizzard spent another 10 years on the game, people would still find exploits; that’s just how people work.

      • Eh, if switching the buttons works, presumably that means you could just do it via packet sending too… hex editing just makes things easier.

        • It is likely that packets involved in the auction house system are encrypted in some way, so packet spoofing may not be possible.

          • You can MITM encrypted traffic when you’re not actually in the middle. It involves a little bit of memory reading, but it’s still quite possible to do without editing any hex.

      • ‘hex’ is not ancient, it’s simply a way of representing bytes. Everything on your computer uses bytes, so you will always be able to change the programs by using ‘hex’. By changing some hex, you are simply changing some bytes that contain commands for your computer (or literal numbers the program is comparing with in some cases).

        There is no way to protect against somebody changing your program, except by checking server side if the packets the client has sent are valid. Apparently blizzard fails to do so, which is really really bad. It’s like performing user form validation in javascript on a webpage and neglecting to validate it again on your php page. Anybody can change the javascript easily with for example firebug etcetera. In the same way everybody can easily change the diablo client with a debugger.

        To be honest, if this kind of thing really works… I’m just shocked that even rich companies like blizzard aren’t up to par with real basic security. I’ve encountered similar things in ‘smaller’ games, but I could forgive them on account of not having the funds to hire quality software engineers.

        • I presume he meant to say, that in terms of security breaches / hacking methods, hex editing is very ancient, because it is.

    4. Hehh,. they really made some messups with the auction house so far.

      Why didn’t they just copy the AH code from WoW,. I wonder..

    5. Why the hell does this work? Also why haven’t blizzard brought it down until they patch it.
      I agree with jamesL that someone head should roll if it’s really true, if not the whole AH team.

      • “Eh Bobby I say hey come up ere boi… Oh dang he done gone an chit himself again”

    6. Oh my even the AH isnt safe anymore???

      On the EU forums people are raging cause they feel that blizzard is protecting ingame tradewindow scammers. This one guy Nition is even using the forums to taunt his victims after he scammed them for items worth of up to 100’s of millions. Yet nothing happens hehe. Oh well the threats get closed ofc when people start threatining his person but other than that guys like Nition are still going strong scamming.

      Good thing i dont trade and chose to play D3 like it was a singleplayer game it seems.

    7. I have hard time believing it is true, somebody tell me that auction house buying logic is working on client side ? This is like building ebay and able to do anything just by modifying source page.

      If it is true, then well I have no words.

    8. No proof whatsoever..

      If so post a video of it happening.

      Classify it with the multi player session spoofing troll myths.

      This game is soooo much trolled with lies it is incredible.

      And it is about time this site CHECKS first before publishing.

      “i didn’t control it or check it but still wanted to make headline ” is … garbage journalism

      Did you know you can hack any BattleNet account … when you defeat Diablo 3 on Inferno with 5 different classes ?

      It is true. I read it on a forum and 3 other threads confirmed it before being deleted by Blizzard.

    9. This has actually been going on for about two weeks now but I’m still unconvinced that it’s simple ui-tweaking in a hex program. However, there’s been more than ample evidence of two things happening:

      1. Items being bought out for the bid price (or even lower).
      2. Auctions being ended with a very low bid well before the auction was set to end.

      Oh, and I’m not interested in drowning in benbos’ tears. Things happen. Nobody is perfect. The team who made Diablo III is certainly far from it.

    10. You all can believe whatever you want but this has been going on longer than you think. A week or more ago I quit giving ranges, setting the intro and buyout exactly the same. It’s a no-brainer that something is wrong when items you list are gone within an hour and you didn’t receive the buyout.

    11. Something like that should not be possible. Alot of these hacks I have read about are above anything I can do, but surely Blizz has some people that go through and test for obvious hacks? I realize whatever they do, there will be people trying to screw with it, especially with real money involved. But damn, cant people just play a freakin video game?

    12. I don’t so much care that it happened; however, I am curious as to what Blizz is going to do for the people that it happened to. So far I am thoroughly unimpressed with their “solutions” at every level, on every issue.

      • They could “technically” rollback all auctions that were affected by this exploit but i don’t see it happening, especially not the RMAH with real $/paypal involved.

    13. I was a victim of this on the GOLD AH. All I’ve started doing is making my starting price higher. Problem solved.

    14. As I said, prove it or it didn’t happen.

      Should be quite easy to prove: make it so and put it on video. “some crafty hex editing…”


      I am fed up with these unfounded accusations.

      Session spoofing, Bizzard account hacking through Blzzard servers etc …

      All fat lies. Why ?

      I don’t even want to know.

      • I agree on the proof, but I seriously doubt any one will provide it. Remember that black smithing salvage dupe video about a week ago? A lot of people saw that it was spliced, but some said it was a real exploit. No one provided a real working. Ideo, even one poster who said he had it working and would provide a video ASAP.

        Haters gonna hate on this game. But instead of hating it for valid reasons, they will create fabricated lies to hide behind (and justify) their hate.

        • Ever hear of the term “the burden of proof is on the accuser”? It means if you make an accusation, you need some proof to back it up (sorry, saying you can’t prove it didn’t happen is not a valid argument). No one has come forward with proof besides some guesses of how this is done. Those people who said they were effected havnt posted screen shots, videos, or even them supposively performing this exploit.

    15. I think a proof is required. In fact, I don’t think mods should be posting something like this without having test it themselves.

    16. Kicking single players to the curb really did not solve the problem with cheaters, did it? Fanbois swore up and down that it would because Blizzard said so. Rational fans knew better.

    17. Hi everyone.

      There are other exploits, such as creating auctions and having the auction immediately sell for the price specified using a similar method, and it seems undetectable.

      Software engineers feel that it’s really discomforting to see an issue like this in a video game, and it makes anyone in the field feel that this was intentionally done so.

      The designers made absolutely no attempt to disguise the addresses, either, which is disheartening, or maybe just screams “rushed” on the auction house. Still, you would think that the client wouldn’t be assumed correct.

    Comments are closed.