tag:blogger.com,1999:blog-1461700565722278823.post3036832814948121803..comments2024-02-27T14:44:07.868+01:00Comments on Greedy goblin: Gold stealing addonGevlonhttp://www.blogger.com/profile/07072766785893313616noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-1461700565722278823.post-25353430071330405612011-10-21T21:53:35.113+02:002011-10-21T21:53:35.113+02:00The code to do this is protected since 2.0...
PRO...The code to do this is protected since 2.0...<br /><br />PROTECTED SetSendMailMoney(amount) - Add money to next mail sent using SendMail(). -- Protected as of 2.0Zanthorhttps://www.blogger.com/profile/06565757198525941881noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-14769453262441338402011-10-20T00:01:12.140+02:002011-10-20T00:01:12.140+02:00It'd be shutdown in <12 hours. A high perc...It'd be shutdown in <12 hours. A high percentage of the playerbase uses Postal, which displays logs from mailing sessions in the standard chat frame.<br /><br />This would get noticed, reported, and shutdown in short order.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-32572554438323045582011-10-19T00:07:59.293+02:002011-10-19T00:07:59.293+02:00A better approach for the would be scammer is to w...A better approach for the would be scammer is to write their own addon. Find something popular like reforging, AH addon or similar. Write multiple different addons because you're going to get caught and the obvious way to continue after your caught is to fool your prey into believing the threat has gone. <br /><br />Start introducing Gevlon's suggestion slowly, maybe after 6 months or so. Have multiple accounts on Curse and so forth such that when you're caught in one place you have others to fall back on. Remember you're trying to build trust in order to become "viral". <br /><br />And finally, I'm not suggesting anyone does this but only that the possibility for someone to do it exists. Beware of what you download.chewynoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-29491213387289241462011-10-18T16:19:33.332+02:002011-10-18T16:19:33.332+02:00Evil yes, but you'll be banhammered so hard as...Evil yes, but you'll be banhammered so hard as soon as it's discovered and the GMs track the recipent of the mails.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-23722368595164662972011-10-18T14:48:46.198+02:002011-10-18T14:48:46.198+02:00"Since WoW 'con artists' do not have ..."Since WoW 'con artists' do not have access to victims's PC (only their account), it's almost impossible for them to do the trick."<br /><br />Not if you use the same passwd on Curse as on WoW. Even with authenticator you'd get hacked then. Besides, Curse had malicious Flash banners in the past.<br /><br />This idea is nothing new, btw. There have been developers of addons who got a trojan, leading to exploit in addon.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-27555187751679812462011-10-18T14:40:02.644+02:002011-10-18T14:40:02.644+02:00A lot of the comments miss a very social approach....A lot of the comments miss a very social approach. Help. While it is true that hacking a wowace, curse, or even a prominent website's SVN/Source code repository is hard and risky, that my friends is overkill. <br /><br />We are in an online community of anonymous gamers. It only takes a day of LUA study and some malicious intent, and here's how. <br /><br />"Dear Addoauthor:<br />I noticed your addon isn't updated often, I know a little bit of LUA and I'd like to help with the small updates in-between major updates. I can take care of the small stuff like curseforge and wowace tickets leaving the big tasks to you. Let me know what you thinks. - HelpfulPpl102"<br /><br />Then, a few weeks later, in the name of 'helping' others, he adds a small auto mail feature of some sort related to the addon. A socially malicious person could easily come up with a 'valid' reason to add in such a feater, and then add a small bit of well obsfucated code. Then, voila, Superman 3. Have it send 1% or 2% of total money and you'll slowly get it.<br /><br />Imagine how quickly a malicious, well spoken and slightly LUA educated social could get into assisting with TSM's auto-mail addon. No hacking needed, and TSM has so many moving parts that you average TSM user would probably not see the code until it was too late, and since a user of TSM does plenty of AH biz, they'd probably not notice the gold loss until much later.Antivyrishttps://www.blogger.com/profile/08018471491439351388noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-7583778377132427082011-10-18T12:58:44.865+02:002011-10-18T12:58:44.865+02:00There are several problems with that idea.
1. Hack...There are several problems with that idea.<br />1. Hacking someone Wowace/Curse account won't give you access to the source codes, because they are version controlled and you can't just simply upload any malicious code into a branch.<br />2. Even if you could do #1, the original author will see the next time he tries to upload some of his own code, that he doesn't have the newest version of his own code. Tell me any developer, who would not be suspicious about this. Even if the addon is maintained by multiple authors, they probably talk to each other and would notice such "unauthorized" code uploading within hours, days at max.<br />3. #2 is not an issue if the addon is not maintained anymore and is abandonned. Not many people are using abandonned addons (at least I hope so). Even if some people are using such a dead addon, they are not so many. For example, I used to use agUnitFrames for a while after it was abandonned, 'cause I didn't have to update it (no WoW patch came out). The first time a WoW patch came after that addon went dead, I had to switch to something else (I choose ShadowedUnitFrames), because agUF didn't work like it used to be and I didn't want to correct it.<br />4. Let's talk about a popular addon, like Bartender4 or something like this. If the hacker could upload his malicious code and make the players download that hacked addon, houndreds or thousands players are using it. If it would steal any amount of gold, it could not go unnoticed for long time. Such stealer addon would be cougth within hours, just because the sheer numbers of players using it.KhasDylarnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-18488109102718673042011-10-18T12:43:04.865+02:002011-10-18T12:43:04.865+02:00Of course this is an interesting idea but I reckon...Of course this is an interesting idea but I reckon the chance of success of hacking a site like auctioneeraddon.com (to steal the emails/passwords used there) will be a lot better than this.<br /><br />@Anonymous;<br /><br />1) Many developers don't use Curses SVN, Mercurial or GIT repositories and just issue a HTTP upload for which no such key is required.<br />2) Close; the only limit in place is to require a hardware event for adding gold to a mail.<br />3) Code obfuscation goes a long way. There are many methods one could use to hide the code, in this method probably the best would be to password-protect it and let the hacker post the password in the channel which is then used to remove the password from the code and execute it.<br /><br />The issue with code obfuscation would be that it's against the WoW ToU which may or may not be enforced by Curse.Zerotorescuenoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-88621858910555049742011-10-18T11:02:37.290+02:002011-10-18T11:02:37.290+02:00for anyone to bother doing it they would want dest...for anyone to bother doing it they would want destination accounts on multiple servers. this is realy only commercial gold sellers. they have much more efficient methods. also their accounts are much more transient.<br /><br />to code it in they would either require a predetermined character name or be able to trigger the destination via an in game command. as all addons are open source neither method would remain secret long enough to profit enough from the time required to create an addon with enough market exposure.<br /><br />of course if all addon authors announced a small tax on users on their home server it could be a nice way to fund addon development. time they didnt need to spend farming gold they could put into addon development. perhaps the community wouldnt mind.Antinoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-14091694127251916392011-10-18T10:30:50.755+02:002011-10-18T10:30:50.755+02:00@Andru: Gevlon's proposing that you "hack...@Andru: Gevlon's proposing that you "hack" (note the quotes) the wowace account of an author and publish a "malicious version" of an already-established addon.<br /><br />However, there's more than one issue with your proposal:<br />1) To be able to commit to the SVN repos, you'd need to have the author's SSH privkey. You won't be able to access that one without having access to their HDD.<br />2) Don't quote me on this one, but I'm fairly sure that you can only send one piece of mail per hardware event.<br />3) WoW's Lua implementation is fully open source. Anyone that downloads your addon can read the source code - and there's plenty of people that already do. Chances are, the addon would be taken down within the hour - I assume curse.com would take this kind of issue very seriously with the amount of tinfoil-hattery already floating around.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-81756981129930299922011-10-18T10:28:01.165+02:002011-10-18T10:28:01.165+02:00I remember the good old times...
1. Group with s...I remember the good old times... <br /><br />1. Group with some lvl 60 dude who looks like he has gold<br />2. Bring him to type /split 1000 or whatever<br />3. ???<br />4. Profit!<br /><br />Worked countless times...Jokklnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-43037665495443549242011-10-18T10:13:53.019+02:002011-10-18T10:13:53.019+02:00@Andru: I'm talking about a trojan addon that ...@Andru: I'm talking about a trojan addon that the victim downloads and installs without knowing that it's harmful, believing that it's just an addon.Gevlonhttps://www.blogger.com/profile/07072766785893313616noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-70982771621400949122011-10-18T09:53:10.344+02:002011-10-18T09:53:10.344+02:00The biggest problem for the maker of such an addon...The biggest problem for the maker of such an addon is not someone noticing a few gold going missing but that anyone downloading it can see the source code. Not that all that many people would bother or know what they were looking for, but I'm fairly sure a tiny percentage do and that's all it takes to uncover it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-87702311343881034052011-10-18T09:41:35.533+02:002011-10-18T09:41:35.533+02:00@Anonymous
There are UI commands that suppress pla...@Anonymous<br />There are UI commands that suppress playing sounds for actions, then turn the sounds back on after they're done. That's not the problem. <br /><br />There's a lot more technical difficulties.<br /><br />(Un)Fortunately, there's no easy way to make it work.<br /><br />Most accounts that are 'hacked' actually have their passwords stolen in one form or another. This is closer to being a 'con artist' than a 'hacker'. <br /><br />The difference is that, in order for such an addon to be active on an account, the 'hacker' must have physical access to the victim's WoW directory, in order to place that addon there. Since WoW 'con artists' do not have access to victims's PC (only their account), it's almost impossible for them to do the trick.<br /><br />Of course, a gray area is the usage of keyloggers, who, admittedly, have limited access to a PC. <br /><br />One could, theoretically, use an OS vulnerability to inject an addon in the interface/addons folder the same way. <br /><br />The problem is way more complicated than that. First, it has to be enabled. There's a world of difference between reading keystrokes and broadcasting them back, and actually launching WoW, logging in, and loading the addon. And one would have to do it every time WoW updates, before the game client marks the addon as out-of date and stops loading it.<br /><br />One would think, then, that if a hacker had such a big control over one's PC in order to write to their HDD, execute programs at will, and so forth, that it would be easier to just steal the damned online banking credentials the victim uses, and not trifle with 2% e-gold.<br /><br />Of course, one could write a trojan addon (an addon that has legitimate use with the hidden function you described), in which case access to the account/PC is not required. Users will automatically update their addon every verson.<br /><br />The problem is, of course that your addon has to be good in order for people to use it. Say, of BigWigs popularity. But the risk is that, with high popularity, someone will look in the code and see what you're up to, unless you code in the most human-unintelligible way possible.<br /><br />At the end of the day, the effort is just not worth it. Such an addon requires constant maintenance, extensive bug testing in order to not blow the vulnerability away (no one will report bugs for your trojan).<br /><br />Or requires access to one's PC. In which case, the victim should well be worried about other things than losing WoW gold.Andruhttps://www.blogger.com/profile/12265338942372933846noreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-20599809259877032312011-10-18T09:27:01.371+02:002011-10-18T09:27:01.371+02:00/split anyone? dont know when they removed this bu.../split anyone? dont know when they removed this but it worked like a charm.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-12168588930884062322011-10-18T08:59:22.197+02:002011-10-18T08:59:22.197+02:00The Trojan Horse comes to WoW - Not entirely an or...The Trojan Horse comes to WoW - Not entirely an original idea but wise to be aware of the possibility.chewynoreply@blogger.comtag:blogger.com,1999:blog-1461700565722278823.post-38139573358942643162011-10-18T07:39:45.423+02:002011-10-18T07:39:45.423+02:00Isn't there a sound when you send gold? Can...Isn't there a sound when you send gold? Can't imagine it would go unnoticed too long.<br /><br />I do have most of my gold on a banking alt, but that is also the char I use the postal service most with :-DAnonymousnoreply@blogger.com