Has the WeakAuras Exploit been fixed?

[Deleted]

Hi,

There was this scamming exploit for WeakAuras 6-7 months ago.
I instantly removed WeakAuras back then and shortly thereafter took a break from WoW.

Now I'm back and was curious if WeakAuras has been fixed and is safe to use again.

I remember reading that the author released WeakAuras2 pretty quickly which black listed a few functions.
In my opinion that's not enough to be totally safe. So I'm wondering if anything else changed since then.

P.S.
I know I could write all auras myself, but I'd rather not do that :/

Thanks in advance for the help

[Crudor]

The exploit you are talking about has been fixed afaik, but you are never 100% save when importing unknown WAs.

From the author: http://us.battle.net/wow/en/forum/to...5351?page=2#38

I have very limited options here on fixing it, none of them is permanent. What it comes down to is: Never accept WeakAuras from strangers. ever.

[Deleted]

Thanks for the link.

But it actually sounds like it hasn't been fixed and can't be fixed that's why he said to never ever accept auras from strangers.

That means I'll have to build them myself. (The ones I used back then were from some website, but how do I know that site is trustworthy, especially since I don't even remember what it was called)

But the author also said, that he added the option to disable script importing: link
That way I can feel at least a little safer

Are there other addons that can do the same thing without the whole importing feature, so that there's absolutely no risk? (Since I have to configure everything myself anyway)

[SpaceDuck]

Are there other addons that can do the same thing without the whole importing feature, so that there's absolutely no risk? (Since I have to configure everything myself anyway)

no, this exploit is specific to weakauras because WA can accept custom codes (ie scripts) that when it is ran (WA auto runs all the auras when you close the options) will run whatever the exploit was. which i believe would go something like:

- guy asks in /s for help in WA
- you, being the generious guy/girl you are agree
- he shares his WA for you to import so you can "help"
- when you import it, you close WA options down thus triggering the imported WA to run
- the code, in basic sort of form, targets the guy, opens trade, trades all your gold
- this all happens rather fast, and then your scammer logs off
- blizzard wont help you because on their end the transaction was legit (you opened trade, put in gold amount and pressed accept)

so your other addons are safe, WA from sites are safe because this scam only works if the guy is in trade range, and as the author has said. just dont import WAs from people you dont know, its so simple :P

if you are still in doubt, you could always look through the WA and check for any custom code. then check through that and look for obvious things such as "target this specific player, and then open trade"

[Deleted]

no, this exploit is specific to weakauras because WA can accept custom codes (ie scripts) that when it is ran

I meant, if there are other addons that serve the same purpose as WeakAuras (the intended purpose^^), which I could use instead of WeakAuras.

WA from sites are safe because this scam only works if the guy is in trade range

This is not entirely true, since the malicious scripts can also send gold/items via the mailbox.

So theoretically it is possible that a website which spreads scam scripts has characters with a specific name on every or at least some servers.
That way my money could still be gone...

Admittedly that is unlikely, but winning the lottery is also quite unlikely yet still possible...

[SpaceDuck]

I meant, if there are other addons that serve the same purpose as WeakAuras (the intended purpose^^), which I could use instead of WeakAuras.

Oh my mistake, i think PowerAuras will do similar things but with less customization. and TellMeWhen

This is not entirely true, since the malicious scripts can also send gold/items via the mailbox.

So theoretically it is possible that a website which spreads scam scripts has characters with a specific name on every or at least some servers.
That way my money could still be gone...

Admittedly that is unlikely, but winning the lottery is also quite unlikely yet still possible...

true, but you will have to open your mailbox first. at which point you would of hopefully checked the WA you imported for any specific custom code related to sending mail

[Deleted]

Doesn't WA yell at you if you important an aura that includes custom triggers these days? I seem to remember something along those lines after the first time the issue came up.
So you could simply only import auras that use default functionality.

Disclaimer: Never used WA, so I might be wrong.

[Crudor]

Doesn't WA yell at you if you important an aura that includes custom triggers these days?

It just shows you a little box with the "import" button, there it says "Trigger: custom / aura / whatever". Thats really the only information you have about the WA you are about to import...

[SlippyCheeze]

It just shows you a little box with the "import" button, there it says "Trigger: custom / aura / whatever". Thats really the only information you have about the WA you are about to import...

Yeah, they do a bit to help out, and try and catch the obvious ways to, eg, exploit mailbox gold sending or whatever, but it comes down to this: an addon can do anything. A WeakAura string is just a way to package an addon that you can transfer in game, through copy-and-paste, whatever. So it can do anything an addon can. Right up to setting fire to your cat -- but only if triggered by a hardware event. (Also, must have a pet cat out in-game, and be a fire mage

Anyway, the issue is also present in anything else that can run custom code: if TMW allows importing things with custom triggers, it has the same risks. Heck, if ShadowedUF or PitBull allowed custom text segments that run Lua code in their export/import formats, *they* are a source of vulnerability to this same thing.

- - - Updated - - -

true, but you will have to open your mailbox first. at which point you would of hopefully checked the WA you imported for any specific custom code related to sending mail

If you think that is actually gonna happen, you have not payed much attention to how Internet security has gone over the last decade. By which I mean "nobody does that, other than the three people who look like a rounding error when you consider the numbers"

[Deleted]

Thanks for all the answers.

I think I'll just stick to auras I made myself.

If SlippyCheeze is right, it doesn't matter which addon I use. They are all vulnerable to malicious import Strings.

[Deleted]

<Snip> Explination <Snip>

Didnt know it would do it with items, but I knew about the gold.

it is one of the many reasons I only keep a couple of K gold on my main and the rest of it on my bank char.

[SpaceDuck]

Until I made an aura that re-enables the trade option and then secretly sends itself to 1/3 of your friends each day, or modifies some of your existing auras so that they now include a bit of custom code to modify other auras and 'steal your stuff'.

if WA willingly accepts code of the addon channel that allows it to change existing auras then that itself is a massive flaw. I personally havnt used the the addon channel in any of my little addons so im not 100% sure on what goes over it, surely an addon will need to register itself to the addon channel and intentially listen over it? something WA has no need to use because it doesnt need to share over the addon channel (again something i am not 100% sure on as i dont use the addon channel)

in addition to this, if you could trick the game into running scripts over the addon channel then surely we would see so many more scams that are not based around WA?

2. Most people don't know enough about Lua or WoW to identify dangerous code

you dont have to be, your average joe will only use WA to track basic things like buffs/debuffs, maybe even to track an internal CD that doesnt require custom code. so said average joe only needs to look at the aura and SEE code in the custom code and see it as suspecious

4. You can obscure code very easily: it would look nothing like "sendGold(fromMe(), toHacker())", if this kind of thing was easy to check for then we wouldn't have this problem in the first place.

im curious, how would you make InitiateTrade() or AcceptTrade() descreet? surely the only way to access the frames these functions interact with is via this function?

[Erolian]

All in all it seems like a nonissue if you don't just copy/paste everything you find googling obscure auras on shady sites. Or just make your own since its easy and learning how will probably save you time in the long run.

[Deleted]

if WA willingly accepts code of the addon channel that allows it to change existing auras then that itself is a massive flaw. I personally havnt used the the addon channel in any of my little addons so im not 100% sure on what goes over it, surely an addon will need to register itself to the addon channel and intentially listen over it? something WA has no need to use because it doesnt need to share over the addon channel (again something i am not 100% sure on as i dont use the addon channel)

Change auras locally is the intent, I belive. As in, making an aura that would "infect" other auras with custom triggers.

Not hard to do, SavedVars need to be global by design.

[SpaceDuck]

Change auras locally is the intent, I belive. As in, making an aura that would "infect" other auras with custom triggers.

Not hard to do, SavedVars need to be global by design.

yea i understand it can be done locally, say if the user imports a dodgy WA

but what i mean is can it be done over the addon channel? could some one make something that will send data over the addon channel which will trick WA into doing something malicious without the users input?

[SlippyCheeze]

yea i understand it can be done locally, say if the user imports a dodgy WA

but what i mean is can it be done over the addon channel? could some one make something that will send data over the addon channel which will trick WA into doing something malicious without the users input?

In theory, yes. In practice, I am not aware of anything other than importing strings that could cause this to happen, and consider it unlikely that it would be a practical issue.

It would require that the message result in some sort of code execution from WA, which could be considered a "bug" on their part, but really comes down to: there are many ways to run code in lua. If you slip past their efforts to stop you and get your code from a message into one of those, game over.

Outside WoW, examples of this have included messages that get passed to a text display function that added a mechanism to interpret content for display customization purposes. eg: nothing the code did was wrong at the time it was written, but changes to the environment opened an exploit.

In WoW an equivalent would be if, eg, text in dialog boxes had this capability, or hyperlinks could be caused to display that trigger some code execution behaviour. These are not beyond imagining as added features, and could open a previously closed door.

[semlar]

In theory, yes.

No, someone can't send you an aura through the addon channel without you manually accepting it.

We had a very lengthy discussion about how this "exploit" could be avoided in the dev chat when it was reported, and it was ultimately decided that it would never be possible to lock down a custom script being imported.

As long as you're giving someone access to execute custom lua on your client they will be able to do something malicious.

[SpaceDuck]

I do 100% agree with the fact everyone should be paranoid about everything they import or download onto their computer, but some of the things you said in post #12 feels like stuff that cant really happen in the WoW environment (outside of WoW though, entirely possible)

this is the addon channel i was refering too: http://www.wowwiki.com/API_SendAddonMessage

allows an addon to send data to other clients

also thanks Semlar for confirming that it is not possible to send auras over this channel without the user accepting it

So all in all, the whole thing boils down to "Be extremely paranoid about importing anything"

[Cybeloras]

I went through a whole lot of ideas when I was working on how to prevent this in TMW, but in the end, there is no way to make scripts completely safe. You can isolate them into their own environment and allow them access to only a whitelisted set of functions and variables - that would mean no library access, no interaction with other addons, and it would mean I would have to significantly rewrite huge parts of TMW in order to keep any custom scripts away from parts of the addon that could allow them to break out of that environment (if anything could get access to an Ace3 module's embed list, for example, then its completely compromised).

What I ended up doing was just to present users with a dialog any time they import anything that could be executed by TMW. The dialog includes the code itself, as well as a message that says something along the lines of "most of the time, scripts are fine, but there are mean people out there, so don't talk to strangers!". It makes naive attempts to alert the user to any malicious functions (like AcceptTrade, SendMail, etc.), but even the most trivial of obfuscation could get around them. Ultimately, its up to the user (in all cases - not just TMW) to evaluate whether they trust the code and the source of it.

[ComputerNerd]

As Cybeloras describes it is possible to obfuscate the code to prevent any "keyword" matching.
Therefore making the only sure-fire solution being an intervention from blizzard.
They would have to adjust the functions themselves, either crippling their functionality or adding in confirmation prompts.
Either of which are going to hurt legitimate addons and honest players.

This isn't a "weakauras exploit", but simply using a very convenient route to do what can be done in traditional addon form.