Discussion:
Another security warning
(too old to reply)
Catriona R
2013-12-07 01:10:24 UTC
Permalink
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!

http://us.battle.net/wow/en/forum/topic/10780477954?page=1
Peter T.
2013-12-07 01:30:29 UTC
Permalink
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
Thanks for the info, Cat. I have WeakAuras installed, but I really dont
use it. So Im not sure if Im in a risk or not.
--
Peter T.

<https://elite.frontier.co.uk/>
Catriona R
2013-12-07 02:01:00 UTC
Permalink
Post by Peter T.
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
Thanks for the info, Cat. I have WeakAuras installed, but I really dont
use it. So Im not sure if Im in a risk or not.
By the sounds of things, you should be ok, just don't acept custom
auras from other people; it seems to be accepting user-created scripts
that does it, as you don't know what's in said scripts. Update to the
newest version as well, there's a few safeguards been added (doesn't
prevent everything 100% but helps a lot, by the sounds of it). Or if
you don't use it at all, I guess you can remove instead!

Never crossed my mind that addons could be vulnerable to things like
that; always assumed that using addons from trusted sources was all
the security I needed. Hah, well, glad to have not learned the hard
way, fortunately I don't use any features likely to be risky, but now
I'm warned, I won't start using anything like that (frankly I'm not
social enough to be sharing settings with other people anyway but
still!). Might reassess my addon usage and see what I can prune too,
problem is I'm so used to most of them that there's pretty much none I
would want to remove (every patch that messes with UI stuff makes me
try to prune them a bit when half my addons break lol... never do get
rid of many!)

What's the betting a future patch will crackdown on a few features...
gotta say, it should not be possible to send money in mail or trade
gold without any "are you sure?" safeguards to make sure the user is
actually aware of it, that's on Blizzard's end rather than the fault
of any addon authors. I'm fairly confident by the time 6.0 comes round
that'll be tightened up a bit now they know this exists, just hope it
doesn't screw over too many established, useful and so far safe
addons!
Lewis
2013-12-07 01:59:08 UTC
Permalink
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
Who told you that? None of that is possible.

Trades and gold mailing absolutely require a confirmation, sent by the
server, that the client must physically click. Anyone claiming otherwise
is either an ignorant fool or a liar.
Post by Catriona R
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
I notice there's no confirmation from a blue post.

I used to have an addon for my mule that automatically mailed all but
100g to my main anytime I went to a mailbox, so I remember clearly when
they added the confirmation.
--
If at first you don't succeed, put it out for beta test.
Catriona R
2013-12-07 02:06:27 UTC
Permalink
On Sat, 7 Dec 2013 01:59:08 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
Who told you that? None of that is possible.
Trades and gold mailing absolutely require a confirmation, sent by the
server, that the client must physically click. Anyone claiming otherwise
is either an ignorant fool or a liar.
Well, the people who it's happened to in the thread linked, seem to
think it happened... I'll believe them until proven otherwise.
Post by Lewis
Post by Catriona R
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
I notice there's no confirmation from a blue post.
Last post on the thread, blue response. Of course they're not going to
shout "hey this is how the exploit works" until they can fix it, as
it'll only get more people using it, but the wording of that reply
sounds like they're taking it seriously.
Post by Lewis
I used to have an addon for my mule that automatically mailed all but
100g to my main anytime I went to a mailbox, so I remember clearly when
they added the confirmation.
Doesn't necessarily mean people haven't found a way round it now
though. In any case, being careful is never a bad thing, and hearing
about this is a good reminder to be careful what dodgy scripts one
chooses to accept from random people ;-)
Lewis
2013-12-08 03:27:21 UTC
Permalink
Post by Catriona R
On Sat, 7 Dec 2013 01:59:08 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
Who told you that? None of that is possible.
Trades and gold mailing absolutely require a confirmation, sent by the
server, that the client must physically click. Anyone claiming otherwise
is either an ignorant fool or a liar.
Well, the people who it's happened to in the thread linked, seem to
think it happened... I'll believe them until proven otherwise.
Post by Lewis
Post by Catriona R
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
I notice there's no confirmation from a blue post.
Last post on the thread, blue response. Of course they're not going to
shout "hey this is how the exploit works" until they can fix it, as
it'll only get more people using it, but the wording of that reply
sounds like they're taking it seriously.
Post by Lewis
I used to have an addon for my mule that automatically mailed all but
100g to my main anytime I went to a mailbox, so I remember clearly when
they added the confirmation.
Doesn't necessarily mean people haven't found a way round it now
though. In any case, being careful is never a bad thing, and hearing
about this is a good reminder to be careful what dodgy scripts one
chooses to accept from random people ;-)
After a little more consideration I suppose it is possible that Blizzard
screwed up and left a hole in the trade/mail security. A script is not
exactly the same as an addon.
--
Thunder rolled... It is said that the gods play games with the fates of
men. But what games, and why, and the identities of the actual pawns,
and what the game is, and what the rules are - who knows? Best not to
speculate. Thunder rolled... It rolled a six. --Guards! Guards!
r***@lava.net
2013-12-08 05:06:31 UTC
Permalink
On Sun, 8 Dec 2013 03:27:21 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
On Sat, 7 Dec 2013 01:59:08 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
Who told you that? None of that is possible.
Trades and gold mailing absolutely require a confirmation, sent by the
server, that the client must physically click. Anyone claiming otherwise
is either an ignorant fool or a liar.
Well, the people who it's happened to in the thread linked, seem to
think it happened... I'll believe them until proven otherwise.
Post by Lewis
Post by Catriona R
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
I notice there's no confirmation from a blue post.
Last post on the thread, blue response. Of course they're not going to
shout "hey this is how the exploit works" until they can fix it, as
it'll only get more people using it, but the wording of that reply
sounds like they're taking it seriously.
Post by Lewis
I used to have an addon for my mule that automatically mailed all but
100g to my main anytime I went to a mailbox, so I remember clearly when
they added the confirmation.
Doesn't necessarily mean people haven't found a way round it now
though. In any case, being careful is never a bad thing, and hearing
about this is a good reminder to be careful what dodgy scripts one
chooses to accept from random people ;-)
After a little more consideration I suppose it is possible that Blizzard
screwed up and left a hole in the trade/mail security. A script is not
exactly the same as an addon.
If I could jump in here for a moment...

I don't have 'add-ons' for a variety of reasons. But one thing I have
noticed; in the last two months, is that I'm finding that
the'friends' notice ("Iwana be your friend') - when opened - contains
a gold for sale announcement.

When these folks did this in the main dialog box there was/is a simple
way to bring it to the attention of the 'proper authorities' . Is WOW
aware this is occuring through this menu? How can I rat them out?

- vetred, on the Steamwheedle serve
Lewis
2013-12-08 06:31:15 UTC
Permalink
Post by r***@lava.net
On Sun, 8 Dec 2013 03:27:21 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
On Sat, 7 Dec 2013 01:59:08 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
Who told you that? None of that is possible.
Trades and gold mailing absolutely require a confirmation, sent by the
server, that the client must physically click. Anyone claiming otherwise
is either an ignorant fool or a liar.
Well, the people who it's happened to in the thread linked, seem to
think it happened... I'll believe them until proven otherwise.
Post by Lewis
Post by Catriona R
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
I notice there's no confirmation from a blue post.
Last post on the thread, blue response. Of course they're not going to
shout "hey this is how the exploit works" until they can fix it, as
it'll only get more people using it, but the wording of that reply
sounds like they're taking it seriously.
Post by Lewis
I used to have an addon for my mule that automatically mailed all but
100g to my main anytime I went to a mailbox, so I remember clearly when
they added the confirmation.
Doesn't necessarily mean people haven't found a way round it now
though. In any case, being careful is never a bad thing, and hearing
about this is a good reminder to be careful what dodgy scripts one
chooses to accept from random people ;-)
After a little more consideration I suppose it is possible that Blizzard
screwed up and left a hole in the trade/mail security. A script is not
exactly the same as an addon.
If I could jump in here for a moment...
I don't have 'add-ons' for a variety of reasons. But one thing I have
noticed; in the last two months, is that I'm finding that
the'friends' notice ("Iwana be your friend') - when opened - contains
a gold for sale announcement.
I have an anti-spam addon, so I never sees these.
Post by r***@lava.net
When these folks did this in the main dialog box there was/is a simple
way to bring it to the attention of the 'proper authorities' . Is WOW
aware this is occuring through this menu? How can I rat them out?
If you see their nicks you can rclick and report for spam.
--
Mirrors contain infinity. Infinity contains more things than you think.
Everything, for a start. Including hunger. Because there's a million
billion images, but only one soul to go around. --Witches Abroad
r***@lava.net
2013-12-09 00:29:08 UTC
Permalink
On Sun, 8 Dec 2013 06:31:15 +0000 (UTC), Lewis
Post by Lewis
Post by r***@lava.net
On Sun, 8 Dec 2013 03:27:21 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
On Sat, 7 Dec 2013 01:59:08 +0000 (UTC), Lewis
Post by Lewis
Post by Catriona R
Never mind outside the game - beware of ingame messages too!
Apparently, it's possible with some addons which let people share
custom settings with others (via whispering a link or code), to inject
code which doesn't so what you might be expecting... things like, mail
all your gold to someone else, or trade it all to someone. Seems to be
Who told you that? None of that is possible.
Trades and gold mailing absolutely require a confirmation, sent by the
server, that the client must physically click. Anyone claiming otherwise
is either an ignorant fool or a liar.
Well, the people who it's happened to in the thread linked, seem to
think it happened... I'll believe them until proven otherwise.
Post by Lewis
Post by Catriona R
mainly WeakAuras and maybe TellMeWhen affected at present, but by the
sounds of things, pretty much any similar addon which lets you share
codes/settings with other users is a risk. Seems it's only a problem
if you click the link to run it, so lesson of the day: don't accept
things like that from untrusted sources, just in case!
http://us.battle.net/wow/en/forum/topic/10780477954?page=1
I notice there's no confirmation from a blue post.
Last post on the thread, blue response. Of course they're not going to
shout "hey this is how the exploit works" until they can fix it, as
it'll only get more people using it, but the wording of that reply
sounds like they're taking it seriously.
Post by Lewis
I used to have an addon for my mule that automatically mailed all but
100g to my main anytime I went to a mailbox, so I remember clearly when
they added the confirmation.
Doesn't necessarily mean people haven't found a way round it now
though. In any case, being careful is never a bad thing, and hearing
about this is a good reminder to be careful what dodgy scripts one
chooses to accept from random people ;-)
After a little more consideration I suppose it is possible that Blizzard
screwed up and left a hole in the trade/mail security. A script is not
exactly the same as an addon.
If I could jump in here for a moment...
I don't have 'add-ons' for a variety of reasons. But one thing I have
noticed; in the last two months, is that I'm finding that
the'friends' notice ("Iwana be your friend') - when opened - contains
a gold for sale announcement.
I have an anti-spam addon, so I never sees these.
Post by r***@lava.net
When these folks did this in the main dialog box there was/is a simple
way to bring it to the attention of the 'proper authorities' . Is WOW
aware this is occuring through this menu? How can I rat them out?
If you see their nicks you can rclick and report for spam.
Mahalo Lewis

Vetred on the Steamwheedle server

Loading...