Word of warning to Weakauras users

[Zannis]

http://us.battle.net/wow/en/forum/to...0477954?page=1

<removing link as it explains actually too much>

These two links should explain what people are doing.

The gist of it is, don't import auras unless you trust the source. If you DO import an aura from an untrusted source, transfer the bulk of your gold off-character before the import, leave a few silver. Walk up to a mailbox and open the 'Send Mail' tab. If your silver pieces are still there, the aura is safe.

I'd post this tip on the wow forums, but I'm not currently subbed.

Edit: The author of Weakauras 2 has patched the addon to prevent this behavior. Please update to the latest version (2.0.1) to protect yourself.

[Galbrei]

Dayum, that's some scary stuff! Thanks for the heads up!

[Zannis]

The scariest thing is that it's all done through legit commands in the game's UI console.

[Lime]

Damn WoW, you scary.

Seriously though, thats messed up.

[Deleted]

OK Blizz or the authors of WA need to put an end to that!!!!

[Traxex9080]

OK Blizz or the authors of WA need to put an end to that!!!!

It's not weakauras. It's code within WoW itself. People just use weakauras because you can send the scripts to other people that have weakauras. So if you're looking for a specific script for a boss encounter and you find one and use it unknowingly that it's not what you're looking for, you lose your gold.

[Lime]

If you DO import an aura from an untrusted source, transfer the bulk of your gold off-character before the import, leave a few silver. Walk up to a mailbox and open the 'Send Mail' tab. If your silver pieces are still there, the aura is safe.

I don't believe thats necessarily true. According to that video, the person made it so it left 30c. So imagine if he made it so it left 2 gold. If you only have a few silver, it wouldn't affect you. However the second you have more than 2 gold, it would trigger and you'd lose all of your money.

[MoanaLisa]

No offense to anyone for removing the video but after watching it I understood enough about how to do this so that's not something we wish to propagate here in General Discussions. It seems as if it would be a good idea to disable WA unless you've created all of your own auras or are very sure of where they came from.

[suprep]

I hope people realise that this can actually happen with any AddOn you download if it's not carefully inspected for malicious code, the only prevention to this is Blizzard taking proper actions in their API making it impossible to do this kind of stuff. WeakAuras is an easy way of doing it since you can share code that runs automatically while having the option of disguising the code to actually do meaningful things (such as display a DoT duration while stealing gold). Anyone with a basic knowledge of Lua can access the API and do this kind of stuff, so be wary when you import code or download AddOns that aren't on Curse or have little to no downloads.

[MoanaLisa]

I want to bump this thread to keep it up on the front page for a bit longer just so that people can be aware that there's a possible problem.

[Lime]

I want to bump this thread to keep it up on the front page for a bit longer just so that people can be aware that there's a possible problem.

I'm glad you did. I was going to but didn't want to risk the infraction.

[Avada Kedavra]

Wow - that is scary. I do not use weakauras, I found the idea complicated, but this is crazy

[zephid]

OK Blizz or the authors of WA need to put an end to that!!!!

It's not weakauras fault really since the addon uses code blizzard has made available.

If anything this should serve as a warning to people to not just import auras without actually checking what they do before activating them.

[MrExcelion]

Include this in the OP if you can:

"The addon author has patched Weakauras2 to v2.0.1 with some code that should help keep this from happening:
http://www.curse.com/addons/wow/weakauras-2 "

Taken from the WoW forum thread

[rijn dael]

Just to point out, it's no different to any other addon being designed to do this, it is just easier to get someone to install a weakaura than it is to get them to download your addon.
Be interesting seeing how it can be 'prevented', other than weakauras just stripping mail send functions from code when imported.

[Grubjuice]

gyeagh!

is this a problem only with WA1.x or does it also affect WA 2.x?

[Queen of Hamsters]

Now I'm glad I found WA to be headache on file. o.o

[SlippyCheeze]

is this a problem only with WA1.x or does it also affect WA 2.x?

There is nothing that would prevent the same sort of action in WA 1.x, or PowerAuras, or LuaTexts in PitBull4, and potentially in anything else where someone can share their setup with you. Any addon can do this, and even macros can *potentially* do it using the `/script` command.

The WeakAuras part is just using a clever social engineering trick to convince you that it is *safe* to run this code, and a feature of the addon that makes it hard to determine that the ugly, nasty stuff is going to happen before you install it. So, yes, it can hurt you in other addons -- though the specific features or properties may not be identical.

Think of this as the email virus of WoW: it can mutate into all sorts of forms to bypass each security fix. The only way to stop it is to make it impossible to do these things, which also means that legitimate uses (eg: TSM, Postal and other mail sending things) get blocked, or made harder....

[Blueobelisk]

I'm really curious about that video now.

[Azutael]

Well that's rather scary.
And apparently weak-auras isn't the only method used.

Hoping for a fix, even if I don't use weak-auras.