WeakAuras security risk...

[askala]

This is NOT good news, as this is probably one of those addons nearly everyone relies on now that WoW loves Procs so much.

http://www.youtube.com/watch?v=zF6C0ogK01Q[/video]

Found out about it here:
http://us.battle.net/wow/en/forum/topic/11836294055

Go to the Youtube page and read the updates - the video maker has been in a dialog with Blizzard who confirms this, and there have already been some patches to address the specific example he shows how to do in the video, but many more issues remain.

[Karavanth]

Correct me if I'm wrong, butthe actual rrisk is in using the malicious strings, correct? The add on itself is fine? I'm at work, and can't watch the video.

[Bio]

The addon itself is safe, yes; the attack is executed via an actual aura. Of course, there are several innocuous ways to come across a compromised aura, some that you probably wouldn't think of (same way you get malware and computer viruses, really), so there's a lesson in caution to be had there.

The addon itself has undergone a number of updates since the video was posted two months ago (there's no timestamps on his edited "UPDATE"s, but the second-most-recent mentions 2.0.1 R18 and the current WA revision is 2.0.5), so it's tough to say exactly how much of the malicious functionality has been curtailed. Still probably a good lesson in computer security, even if it's all fixed.

[askala]

Yes. The risk is basically about grabbing WA strings off of the interwebz and just throwing them in there.

People often assume addons can't access things unsafe - and that's true. But they can take actions for you in game, even with no onscreen cue / animation.

In the video, he has WA's mail 10,000 gold from one of his alts to another, and nothing shows onscreen except the little text 'Mail Sent' after it is over and done. And he then notes: this one is the easy and obvious one - on some imports you won't even see that there is an entry in the actions section.

My advice would be that if you find some perfect WA concept, learn the addon and make it yourself using their advice on what you want it to show. Somebody posts a WA idea to show your key rotation in order - recreate that manually.

For the things one actually NEEDS to see a cue for, things like procs for "OMG you have the bad debuff, run!" - that is very easy to manually remake once you know the name of the thing to look for.

For the more complex WAs you can find online, like one I've seen that shows the entire paladin rotation and tells you what button to hit and in what order... just learning the class itself makes such a WA un-needed anyway.

My own plan is to wipe my WAs out and remake them. I've already been finding I have loaded myself down with too many of them and have a few procs showing up that I don't know the purpose of. So this is just a good excuse to houseclean.

[Thangdor]

They need to make gold BoA just like Diablo.

Also remove the AH.