Account Recovery Bug

Denial · November 25, 2003, 03:19 AM

Wow that was fun to watch today i figured out how to do it after a while but i didn't take any accounts. I did manage to create a few to save some peoples d2 accounts on ladder. Blizzard suspended account recovery for now so that's that.

Since it's already out to how to do it i wont bother posting how to do it since most people by the time they read this will already know

"A vulnerability relating to abusing the account recovery system has been fixed. Affected characters will be restored where possible, as quickly as we can. Everyone caught abusing this system will have their accounts closed and cd-keys banned from Battle.net. We apologize for the trouble this has caused.
--------------------------------------------------------------------------------
The Battle.net Team "

j0k3r · November 25, 2003, 06:31 AM

Well, share with those who don't know.

Zerg · November 25, 2003, 07:30 AM

We can't call back for our accounts anymore?(including the cd key)

Naem · November 25, 2003, 03:27 PM

The exploit was incredibly simple.

- Register a person's account on another realm. You put in an email address that you can access.

- Attempt password recovery from that account.

- You will get an E-mail from blizzard asking for confirmation of the password recovery. The email originates from "account.password.recovery@<yourrealm>.battle.net".

- To confirm the recovery you normally just have to reply to the email with the body quoted. To steal the person's account on the other realm, you just reply to the email, however, send the reply to <theirrealm>.battle.net. Their password would reset and be given to you.

Denial · November 25, 2003, 03:44 PM

yep but the question would be? would it work on rep accounts? i thought of the idea when they patched it? cause most reps dont keep their names on asia active

Hostile · November 25, 2003, 04:30 PM

lol, so they fixed the problem and to all those people who lost their accounts, better luck next time! As of right now they just have registration closed altogather, perhaps they will reopen with ability to recovery via cdkey.

Denial · November 26, 2003, 12:44 PM

ha blizzard made their name's more secure to like name.support@blizzard

Zerg · November 26, 2003, 03:10 PM

Quote from: Hostile on November 25, 2003, 04:30 PM
lol, so they fixed the problem and to all those people who lost their accounts, better luck next time! As of right now they just have registration closed altogather, perhaps they will reopen with ability to recovery via cdkey.

Ack! This means they have closed the ability to get accounts via cdkey?!?