Greedy Goblin

Tuesday, October 18, 2011

Gold stealing addon

It's a random idea that came to my mind. I of course don't go steal gold, but for goldsellers it would be a masterful scam.

The idea came to me when I was using the gold bid helping addon. One of its features is that I can mail the pot to everyone with one click. No need to open trades with 9 people, typing the number, press trade. Great feature. However this one click mailing allows an addon to send my gold to anyone.

So here comes the scam: the goldseller hacks into the account of the writer of an addon that uses the mailbox, picks up an abandonned addon or writes a good one from scratch. This addon functions normally, until the goldseller doesn't write a coded message on some channel the addon watches. This message tells the addon who shall get the gold. Next time you go to the mailbox, the addon sends some of your gold to the goldseller. If it's not a large sum, (like never bigger than 2% of total or 1K in any day), it can run for long before anyone start to get suspicious that some of his gold is missing. Or he can go all out and send lot of gold, and the recipient sells the gold quickly before any GM reads the first victims complain and parse trough the logs.

The addon could also steal materials, BoEs (kitten) from your backpack and send it to the goldseller.

Blizzard should quickly close this vulnerablity. Until then: watch out for what addons you use and keep your deposits on an alt, keeping only daily liquid on your often used characters.

17 comments:

Anonymous said...

Isn't there a sound when you send gold? Can't imagine it would go unnoticed too long.

I do have most of my gold on a banking alt, but that is also the char I use the postal service most with :-D

chewy said...

The Trojan Horse comes to WoW - Not entirely an original idea but wise to be aware of the possibility.

Anonymous said...

/split anyone? dont know when they removed this but it worked like a charm.

Andru said...

@Anonymous
There are UI commands that suppress playing sounds for actions, then turn the sounds back on after they're done. That's not the problem.

There's a lot more technical difficulties.

(Un)Fortunately, there's no easy way to make it work.

Most accounts that are 'hacked' actually have their passwords stolen in one form or another. This is closer to being a 'con artist' than a 'hacker'.

The difference is that, in order for such an addon to be active on an account, the 'hacker' must have physical access to the victim's WoW directory, in order to place that addon there. Since WoW 'con artists' do not have access to victims's PC (only their account), it's almost impossible for them to do the trick.

Of course, a gray area is the usage of keyloggers, who, admittedly, have limited access to a PC.

One could, theoretically, use an OS vulnerability to inject an addon in the interface/addons folder the same way.

The problem is way more complicated than that. First, it has to be enabled. There's a world of difference between reading keystrokes and broadcasting them back, and actually launching WoW, logging in, and loading the addon. And one would have to do it every time WoW updates, before the game client marks the addon as out-of date and stops loading it.

One would think, then, that if a hacker had such a big control over one's PC in order to write to their HDD, execute programs at will, and so forth, that it would be easier to just steal the damned online banking credentials the victim uses, and not trifle with 2% e-gold.

Of course, one could write a trojan addon (an addon that has legitimate use with the hidden function you described), in which case access to the account/PC is not required. Users will automatically update their addon every verson.

The problem is, of course that your addon has to be good in order for people to use it. Say, of BigWigs popularity. But the risk is that, with high popularity, someone will look in the code and see what you're up to, unless you code in the most human-unintelligible way possible.

At the end of the day, the effort is just not worth it. Such an addon requires constant maintenance, extensive bug testing in order to not blow the vulnerability away (no one will report bugs for your trojan).

Or requires access to one's PC. In which case, the victim should well be worried about other things than losing WoW gold.

Anonymous said...

The biggest problem for the maker of such an addon is not someone noticing a few gold going missing but that anyone downloading it can see the source code. Not that all that many people would bother or know what they were looking for, but I'm fairly sure a tiny percentage do and that's all it takes to uncover it.

Gevlon said...

@Andru: I'm talking about a trojan addon that the victim downloads and installs without knowing that it's harmful, believing that it's just an addon.

Jokkl said...

I remember the good old times...

1. Group with some lvl 60 dude who looks like he has gold
2. Bring him to type /split 1000 or whatever
3. ???
4. Profit!

Worked countless times...

Anonymous said...

@Andru: Gevlon's proposing that you "hack" (note the quotes) the wowace account of an author and publish a "malicious version" of an already-established addon.

However, there's more than one issue with your proposal:
1) To be able to commit to the SVN repos, you'd need to have the author's SSH privkey. You won't be able to access that one without having access to their HDD.
2) Don't quote me on this one, but I'm fairly sure that you can only send one piece of mail per hardware event.
3) WoW's Lua implementation is fully open source. Anyone that downloads your addon can read the source code - and there's plenty of people that already do. Chances are, the addon would be taken down within the hour - I assume curse.com would take this kind of issue very seriously with the amount of tinfoil-hattery already floating around.

Anti said...

for anyone to bother doing it they would want destination accounts on multiple servers. this is realy only commercial gold sellers. they have much more efficient methods. also their accounts are much more transient.

to code it in they would either require a predetermined character name or be able to trigger the destination via an in game command. as all addons are open source neither method would remain secret long enough to profit enough from the time required to create an addon with enough market exposure.

of course if all addon authors announced a small tax on users on their home server it could be a nice way to fund addon development. time they didnt need to spend farming gold they could put into addon development. perhaps the community wouldnt mind.

Zerotorescue said...

Of course this is an interesting idea but I reckon the chance of success of hacking a site like auctioneeraddon.com (to steal the emails/passwords used there) will be a lot better than this.

@Anonymous;

1) Many developers don't use Curses SVN, Mercurial or GIT repositories and just issue a HTTP upload for which no such key is required.
2) Close; the only limit in place is to require a hardware event for adding gold to a mail.
3) Code obfuscation goes a long way. There are many methods one could use to hide the code, in this method probably the best would be to password-protect it and let the hacker post the password in the channel which is then used to remove the password from the code and execute it.

The issue with code obfuscation would be that it's against the WoW ToU which may or may not be enforced by Curse.

KhasDylar said...

There are several problems with that idea.
1. Hacking someone Wowace/Curse account won't give you access to the source codes, because they are version controlled and you can't just simply upload any malicious code into a branch.
2. Even if you could do #1, the original author will see the next time he tries to upload some of his own code, that he doesn't have the newest version of his own code. Tell me any developer, who would not be suspicious about this. Even if the addon is maintained by multiple authors, they probably talk to each other and would notice such "unauthorized" code uploading within hours, days at max.
3. #2 is not an issue if the addon is not maintained anymore and is abandonned. Not many people are using abandonned addons (at least I hope so). Even if some people are using such a dead addon, they are not so many. For example, I used to use agUnitFrames for a while after it was abandonned, 'cause I didn't have to update it (no WoW patch came out). The first time a WoW patch came after that addon went dead, I had to switch to something else (I choose ShadowedUnitFrames), because agUF didn't work like it used to be and I didn't want to correct it.
4. Let's talk about a popular addon, like Bartender4 or something like this. If the hacker could upload his malicious code and make the players download that hacked addon, houndreds or thousands players are using it. If it would steal any amount of gold, it could not go unnoticed for long time. Such stealer addon would be cougth within hours, just because the sheer numbers of players using it.

Antivyris said...

A lot of the comments miss a very social approach. Help. While it is true that hacking a wowace, curse, or even a prominent website's SVN/Source code repository is hard and risky, that my friends is overkill.

We are in an online community of anonymous gamers. It only takes a day of LUA study and some malicious intent, and here's how.

"Dear Addoauthor:
I noticed your addon isn't updated often, I know a little bit of LUA and I'd like to help with the small updates in-between major updates. I can take care of the small stuff like curseforge and wowace tickets leaving the big tasks to you. Let me know what you thinks. - HelpfulPpl102"

Then, a few weeks later, in the name of 'helping' others, he adds a small auto mail feature of some sort related to the addon. A socially malicious person could easily come up with a 'valid' reason to add in such a feater, and then add a small bit of well obsfucated code. Then, voila, Superman 3. Have it send 1% or 2% of total money and you'll slowly get it.

Imagine how quickly a malicious, well spoken and slightly LUA educated social could get into assisting with TSM's auto-mail addon. No hacking needed, and TSM has so many moving parts that you average TSM user would probably not see the code until it was too late, and since a user of TSM does plenty of AH biz, they'd probably not notice the gold loss until much later.

Anonymous said...

"Since WoW 'con artists' do not have access to victims's PC (only their account), it's almost impossible for them to do the trick."

Not if you use the same passwd on Curse as on WoW. Even with authenticator you'd get hacked then. Besides, Curse had malicious Flash banners in the past.

This idea is nothing new, btw. There have been developers of addons who got a trojan, leading to exploit in addon.

Anonymous said...

Evil yes, but you'll be banhammered so hard as soon as it's discovered and the GMs track the recipent of the mails.

chewy said...

A better approach for the would be scammer is to write their own addon. Find something popular like reforging, AH addon or similar. Write multiple different addons because you're going to get caught and the obvious way to continue after your caught is to fool your prey into believing the threat has gone.

Start introducing Gevlon's suggestion slowly, maybe after 6 months or so. Have multiple accounts on Curse and so forth such that when you're caught in one place you have others to fall back on. Remember you're trying to build trust in order to become "viral".

And finally, I'm not suggesting anyone does this but only that the possibility for someone to do it exists. Beware of what you download.

Anonymous said...

It'd be shutdown in <12 hours. A high percentage of the playerbase uses Postal, which displays logs from mailing sessions in the standard chat frame.

This would get noticed, reported, and shutdown in short order.

Zanthor said...

The code to do this is protected since 2.0...

PROTECTED SetSendMailMoney(amount) - Add money to next mail sent using SendMail(). -- Protected as of 2.0