1. #1

    Word of warning to users of Weakauras

    This was posted in General and I got permission from MoanaLisa to post it here as well, as it directly pertains to the Interface and an addon that is heavily discussed in this forum. Original post is here.

    Quote Originally Posted by Zannis View Post
    http://us.battle.net/wow/en/forum/to...0477954?page=1

    <removing link as it explains actually too much>

    These two links should explain what people are doing.

    The gist of it is, don't import auras unless you trust the source. If you DO import an aura from an untrusted source, transfer the bulk of your gold off-character before the import, leave a few silver. Walk up to a mailbox and open the 'Send Mail' tab. If your silver pieces are still there, the aura is safe.

    I'd post this tip on the wow forums, but I'm not currently subbed.

    Edit: The author of Weakauras 2 has patched the addon to prevent this behavior. Please update to the latest version (2.0.1) to protect yourself.
    Originally Posted by Zarhym
    Someone needs to take away your keyboard until you're better able to read the explicit meaning in sentences without implying whatever you want in order to be contrary.
    Quote Originally Posted by Archimtiros View Post
    It's like swatting flies with a shotgun.

  2. #2
    Thanks for sharing. Just updated to 2.0.1

  3. #3
    High Overlord Ironi's Avatar
    Join Date
    Dec 2007
    Location
    Finland
    Posts
    114
    Quote Originally Posted by evn View Post
    The update does nothing to fix the problem. There are only two things that will work:
    • Blizzard changes the API to restrict what addons can do
    • Weak auras stops allowing arbitrary lua anywhere.
    If one of those doesn't give then t his is with us forever. You must just make it a rule to be as skeptical about importing "things" into your UI (auras, macros, saved variables, themes/skins, etc) as you are with installing the addons themselves.
    newest weakaura declines auras with "bad" api's and warns users about them, so why do you think it doesn't work?
    Abandon the search for Truth; settle for a good fantasy.
    iKeystones, iLFRDescription, iEncounterEventTracker

  4. #4
    Deleted
    Code:
    local exec_env = setmetatable({}, {__index = _G})
    exec_env._G = exec_env
    exec_env.getfenv = forbidden
    exec_env.SendMail = forbidden
    exec_env.SetTradeMoney = forbidden
    exec_env.getmetatable = function(t) if t == exec_env then error("nope") else return getmetatable(t) end end
    exec_env.setmetatable = function(t, m) if t == exec_env then error("nope") else return setmetatable(t,m) end end
    Is the chunk that was added in most recent WA, for reference. Can't test right now, but there's still some potential workarounds that would need testing - for example, if/how forceinsecure() affects the function environment through DevTools_DumpCommand, or whether any of the debugX functions allow arbitrary code to execute by loading it outside the function environment.

  5. #5
    There will be additional safeguarding coming in, soon.

  6. #6
    Deleted
    Yeah, there's a bunch of other "dangerous" functions I can think of offhand. IIRC deleting items isn't protected, right?

  7. #7
    The Patient
    Join Date
    Apr 2008
    Location
    United Kingdom
    Posts
    318
    Quote Originally Posted by Treeston View Post
    Yeah, there's a bunch of other "dangerous" functions I can think of offhand. IIRC deleting items isn't protected, right?
    Correct, you can just have a script that runs DeleteCursorItem(); on every frame and sooner or later it will happen >_> (provides no confirmation either to type delete or hit yes).
    Retired in WoD

  8. #8
    Quote Originally Posted by Treeston View Post
    Yeah, there's a bunch of other "dangerous" functions I can think of offhand. IIRC deleting items isn't protected, right?
    Nope, you can auto click the confirm dialog.

  9. #9
    Deleted
    Actually, the currently implemented lockout works decently as long as there's no workarounds that can allow code to circumvent function environment. Look into setfenv.

  10. #10
    Quote Originally Posted by evn View Post
    Because I made the video that people were talking about in the original version of this thread.
    I imported the 4 of the original 'test' auras I made to create that video,
    Only 1 didn't work perfect (yesterday at 1am PST): no warning on import, still mailed gold as in the demo.


    Also see ~line 800 in Transmission.lua



    If this was an easy fix it would have been done decades ago. There's no way to tell what "bad code" looks like programatically, if it were possible then we'd have perfectly secure operating systems already. You can say "only these functions are permitted" and they try to prevent access to anything remotely 'bad', but:
    • Addons don't have that ability - there are too many ways around it so blizzard would have to make a change.
    • Once you start stripping out the ability to do 'custom stuff' with lua you're not really using weakauras as we know it. PAC and TMW offer similar-enough functionality but they lack the arbitrary lua which is where the power comes from.

    The problem we have is one of trust: we want to run code from 'unknown peple' but we can't trust everyone we meet. How can you trust me or the people maintaining WeakAuras but not Treeston" or Johny McGoldtheif? There are fixes but they're 'ugly' because they make the creation and distribution of code more troublesome.
    Addons do have that ability and we made sure that SendMail and SetTradeMoney no longer work from a WeakAura. Also I'm pretty sure Blizzard will make some changes to some of those APIs in the future but for the time being you gold is safe now. There might still be some bad API remaining that we have to block, would be cool if anyone reports those and "bad" auras they found to me/us.
    Last edited by Stanzilla; 2013-12-04 at 07:11 PM.

  11. #11
    Quote Originally Posted by evn View Post
    I see that was changed in R18 (I did mine with R17 from yesterday). I re-checked my demo code with r18 (flagged as an alpha release right now) and it seems to be properly blocked. The incomplete 'better' versions might still work but I don't have access to them from here, I'll have a poke and make an updated video encouraging people to upgrade assuming that it works.

    While these do seem to solve my example, it remains that the "out in the wild" scam that was going on appears to be doing something different.
    I wouldn't put all my trust weak auras, when I get home from work i'll check the more clever versions and ensure that this is sane.
    Would be nice if you could send them my way, too.

  12. #12
    http://www.wowace.com/addons/weakauras-2/ is the main site, yes.

    - - - Updated - - -

    Well, turns out that there is still a way around our protections and this time we can't really fix it. It's Blizzard's turn now.

  13. #13
    Hey Stanzilla what warning does it come up with ?

    Can you just interpret the script and for the Lua parts outline to the user exactly what it's going to do THEN have them click a "Yes I want to do this"

    Is that the warning you have in there ?

  14. #14
    This is only an issue if you import weakauras, correct? if that's the case, i'm glad i make all of my own weakauras.

  15. #15
    Quote Originally Posted by Das View Post
    This is only an issue if you import weakauras, correct? if that's the case, i'm glad i make all of my own weakauras.
    Correct, the issue is someone giving you an import with custom lua.
    The problem is the ability to access those features through code, and WeakAuras being a good way of getting it out there.
    Quote Originally Posted by DeadmanWalking View Post
    Your forgot to include the part where we blame casuals for everything because blizzard is catering to casuals when casuals got jack squat for new content the entire expansion, like new dungeons and scenarios.
    Quote Originally Posted by Reinaerd View Post
    T'is good to see there are still people valiantly putting the "Ass" in assumption.

  16. #16
    Is there (or will there be) a way to disable the ability to receive weakauras directly in game?
    All evening I have been getting auras popping up in game like this: http://imgur.com/fs4wum3
    No associated in-game whispers, just level 1 characters repeatedly causing the import window to pop up with malicious intent.

  17. #17
    Quote Originally Posted by Townsend View Post
    Is there (or will there be) a way to disable the ability to receive weakauras directly in game?
    All evening I have been getting auras popping up in game like this: http://imgur.com/fs4wum3
    No associated in-game whispers, just level 1 characters repeatedly causing the import window to pop up with malicious intent.
    We just fixed that. Funky commited a change that those popups can no longer show without you actually clicking a link in chat. Another change I'm working on atm, is an option to only let you accept auras from people in your group, guild or raid.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •