WeakAuras security risk...

Useful information about World of Warcraft Add-ons and in-game macros. Any hacks or violations of Blizzard's agreement are prohibited in this forum.
Post Reply
User avatar
askala
Senior Sergeant
Senior Sergeant
Posts: 93
Joined: Sun Feb 09, 2014 4:12 am
Class: Monk
Spec: Tank
Location: California
Contact:

WeakAuras security risk...

Post by askala » Fri Feb 28, 2014 12:59 pm

This is NOT good news, as this is probably one of those addons nearly everyone relies on now that WoW loves Procs so much.

http://www.youtube.com/watch?v=zF6C0ogK01Q[/video]

Found out about it here:
http://us.battle.net/wow/en/forum/topic/11836294055

Go to the Youtube page and read the updates - the video maker has been in a dialog with Blizzard who confirms this, and there have already been some patches to address the specific example he shows how to do in the video, but many more issues remain.
Main: Rank 4 Brewmaster - cause that's how I roll
Image
Primary Alt:
Kichwas - Warrior (90 Prot/Fury) Pandaren - RANK 3 Prot.
Assorted alts:
Paititi - Mage (90 Frost/Arcane) Pandaren
Binghi - Priest (90 Holy/Disc) Troll
Springneedle - Rogue (90 Combat) Goblin
Nyabinghi - Paladin (90 Prot/Holy) Tauren
Asante - Druid (86 Guard/Resto) Tauren
Rastafari music playlist

User avatar
Karavanth
High Warlord
High Warlord
Posts: 4571
Joined: Wed Nov 28, 2007 7:48 pm
Class: Monk
Spec: Melee DPS
Location: Half awake, in a fake empire.

Re: WeakAuras security risk...

Post by Karavanth » Fri Feb 28, 2014 1:14 pm

Correct me if I'm wrong, butthe actual rrisk is in using the malicious strings, correct? The add on itself is fine? I'm at work, and can't watch the video.

User avatar
Bio
Tribe Elder | Warlock Champion
Tribe Elder | Warlock Champion
Posts: 6763
Joined: Thu Jun 30, 2005 12:08 pm
Class: Warlock
Spec: Tank
Location: Canadia

Re: WeakAuras security risk...

Post by Bio » Fri Feb 28, 2014 1:47 pm

The addon itself is safe, yes; the attack is executed via an actual aura. Of course, there are several innocuous ways to come across a compromised aura, some that you probably wouldn't think of (same way you get malware and computer viruses, really), so there's a lesson in caution to be had there.

The addon itself has undergone a number of updates since the video was posted two months ago (there's no timestamps on his edited "UPDATE"s, but the second-most-recent mentions 2.0.1 R18 and the current WA revision is 2.0.5), so it's tough to say exactly how much of the malicious functionality has been curtailed. Still probably a good lesson in computer security, even if it's all fixed.
Bio Rank 3 Destruction (DPS)

User avatar
askala
Senior Sergeant
Senior Sergeant
Posts: 93
Joined: Sun Feb 09, 2014 4:12 am
Class: Monk
Spec: Tank
Location: California
Contact:

Re: WeakAuras security risk...

Post by askala » Fri Feb 28, 2014 2:16 pm

Yes. The risk is basically about grabbing WA strings off of the interwebz and just throwing them in there.

People often assume addons can't access things unsafe - and that's true. But they can take actions for you in game, even with no onscreen cue / animation.

In the video, he has WA's mail 10,000 gold from one of his alts to another, and nothing shows onscreen except the little text 'Mail Sent' after it is over and done. And he then notes: this one is the easy and obvious one - on some imports you won't even see that there is an entry in the actions section.

My advice would be that if you find some perfect WA concept, learn the addon and make it yourself using their advice on what you want it to show. Somebody posts a WA idea to show your key rotation in order - recreate that manually.

For the things one actually NEEDS to see a cue for, things like procs for "OMG you have the bad debuff, run!" - that is very easy to manually remake once you know the name of the thing to look for.

For the more complex WAs you can find online, like one I've seen that shows the entire paladin rotation and tells you what button to hit and in what order... just learning the class itself makes such a WA un-needed anyway.

My own plan is to wipe my WAs out and remake them. I've already been finding I have loaded myself down with too many of them and have a few procs showing up that I don't know the purpose of. So this is just a good excuse to houseclean.
Main: Rank 4 Brewmaster - cause that's how I roll
Image
Primary Alt:
Kichwas - Warrior (90 Prot/Fury) Pandaren - RANK 3 Prot.
Assorted alts:
Paititi - Mage (90 Frost/Arcane) Pandaren
Binghi - Priest (90 Holy/Disc) Troll
Springneedle - Rogue (90 Combat) Goblin
Nyabinghi - Paladin (90 Prot/Holy) Tauren
Asante - Druid (86 Guard/Resto) Tauren
Rastafari music playlist

User avatar
Thangdor
Tribe Chieftain
Tribe Chieftain
Posts: 4864
Joined: Mon Aug 01, 2005 12:29 pm
Location: Oregon

Re: WeakAuras security risk...

Post by Thangdor » Fri Feb 28, 2014 3:33 pm

They need to make gold BoA just like Diablo.

Also remove the AH.
Thangdor - Rank 3 Balance (main), Rank 3 Guardian (offspec), Rank 3 Restoration (offspec)

Post Reply