
World of Warcraft: one simple line of code can cost you dearly (2016) - bdz
https://www.gdatasoftware.com/blog/2016/07/28809-world-of-warcraft-one-simple-line-of-code-can-cost-you-dearly
======
WrtCdEvrydy
It's funny that if you open developer tools in facebook.com, you get a nice
message about not to copy things into the developer console.

Stop! t78-eatOBZQ.js:172 This is a browser feature intended for developers. If
someone told you to copy-paste something here to enable a Facebook feature or
"hack" someone's account, it is a scam and will give them access to your
Facebook account. t78-eatOBZQ.js:172 See
[https://www.facebook.com/selfxss](https://www.facebook.com/selfxss) for more
information.

~~~
Moru
You get this when trying to paste on any page in firefox console view:

Scam Warning: Take care when pasting things you don't understand. This could
allow attackers to steal your identity or take control of your computer.
Please type 'allow pasting' below (no need to press enter) to allow pasting.

~~~
merb
I actually don't get that.

~~~
danShumway
Dumb question, but have you ever pasted in the past? Once you do it once and
turn on pasting, you won't get the warning again.

about:config --> devtools.selfxss.count needs to be 0 when Firefox boots up to
get the warning.

~~~
TravHatesMe
"pasted in the past" I had to reread that a couple of times

~~~
askafriend
Please try to make a more substantive contribution next time. Comments like
this don't contribute to the conversation and have quite a distracting effect.

HN has its issues but the least we can do is to take care that the quality of
discourse doesn't turn into another Reddit.

~~~
tomhoward
Your general concern is commendable, but some content-lite comments are worse
than others, and sometimes just making nice is more important than calling it
out when a comment is largely benign.

~~~
askafriend
Fair! I actually deleted it first before going back and deciding to post it.

I've started to see more "content-lite" comments recently (along with puns),
so I figured it might be good to over-index on pointing out community values.

Hopefully OP was able to see that it wasn't personal and that I meant no harm.

------
paraboul
Reminds me the old days of mIRC (popular IRC client back then) where you could
(and still probably can) run similar scenario using mSL language
([https://en.wikipedia.org/wiki/MIRC_scripting_language](https://en.wikipedia.org/wiki/MIRC_scripting_language))
directly from the chat input.

A script could literally takes control of the computer because mIRC is able to
load native code by loading arbitrary DLLs

~~~
mickeyp
Back in the 90s mIRC would download files to the root directory of mIRC itself
-- long before the concept of separating user data and code became the norm on
Windows -- and if people had "auto accept file transfers" enabled people could
send you a viral "script.ini" (as I recall it was called) to you and
immediately overwrite your customisations. The end result would spread rapidly
as the infected users would share it with others who join and left the
channels they were in.

~~~
distantsounds
mIRC by default would not auto-accept .INI files, there was a blacklist on
certain file types that would be rejected, with INIs as one of them.

~~~
eiaoa
> mIRC by default would not auto-accept .INI files, there was a blacklist on
> certain file types that would be rejected, with INIs as one of them.

Was that a reaction to the problem described in the GP? Especially in the
80s/90s, defensiveness like that was probably to solve an existing problem.

~~~
tonylucas
Exactly that, it was known as the ‘script.ini’ problem, the download directory
was changed as well.

It would attempt to send to people as they joined a channel.

More info:
[http://www.irchelp.org/security/si.html](http://www.irchelp.org/security/si.html)

~~~
jondumbau
there was the funny magic string that would make half a channels modems
disconnect too.

~~~
mickeyp
Ah, yes, I remember that. I think it was because the modems didn't
differentiate between the various layers in the transport stream and took
anything resembling low-level modem commands to be gospel.

------
madrox
Out of curiosity, why is it ever a good idea to add a command to execute
arbitrary strings in the same space as the user? eval() has been the same
source of headaches in javascript over the years.

I believe WoW uses it primarily to let the player make macros, which is a
legit use, but using something like RunScript to do it seems lazy.

~~~
bcoates
eval is by far the easiest way to run arbitrary code, but you can write eval
yourself in any fully-general programming language. It doesn't actually give
attackers any additional power.

This isn't the eval attack where you accidentally pass attacker-controlled
inputs into eval because of an escaping problem or something, the sole purpose
of /run is to allow users to run arbitrary Lua in the UI

------
arayh
It would have been funny to simply pretend that you had entered the line, just
to see the social engineer send you LUA code in plaintext.

~~~
bassman9000
And immediately after tell him there's a syntax error, and how to fix it

------
minimaxir
Discussion back when this was posted in 2016:
[https://news.ycombinator.com/item?id=12158299](https://news.ycombinator.com/item?id=12158299)

------
whatcd
playing World of Warcraft can cost you dearly

~~~
minimaxir
Nowadays (EDIT: anecdotally, sourced from myself, friends, and forums/Reddit),
there's been a player exodus in WoW, as the latest expansion (Battle for
Azeroth) has an _unrewarding_ and _mandantory_ grindy endgame, in addition to
other player-unfriendly changes which the playerbase suspects is to pad out
time-played metrics.

~~~
vlunkr
Even if that's true, the game has had incredible longevity. That expansion
came out 14 years(!) after the original release of the game. I'm sure the
player base isn't what it used to be, but that has to be some kind of record.

~~~
ergothus
> the game has had incredible longevity

I'm not a WOW player (or really any MMO), but it's always impressed me how
willing Blizzard is to throw out all the investment people have made in
learning the game system details. Talent trees (or whatever they are called)
are rewritten practically each expansion to follow very different rules.

I suppose it has to do with knowing that NOT changing is a guaranteed loss
over time, but still, it feels like an unusual attitude.

~~~
HeadsUpHigh
It's a trend-setting attitude. Relearning skill builds is easy and relatively
fun because you already have the skill points/levels and all you do is just
allocate them again( provided the new ones are balanced and fun). What
blizzard is doing is basically reseting the entire progress of every player in
the game every expansion. You might spend 2 years building up your end-game
gear and then an expansion comes and the common drops from one level higher
are more powerful than the highest drops from the previous one.

------
basic1
WeakAuras also had an import/export feature that was widely abused in a
similar way.

------
vortico
Does the luascript interface have a vulnerability for actual remote code
execution? Can someone launch calc.exe with the HUD API?

~~~
madrox
While this attack does not discuss that particular detail, there have been
many documented methods for breaking out of the sandbox (you can google around
to see citations). I think for most attackers getting access to the user's WoW
API is the goal.

------
rhacker
As a player of a different game, Elder Scrolls Online, is there any similar
danger? The add-on system I believe is also Lua.

~~~
NathanKP
The difference is Elder Scrolls Online doesn't have a command to run a script
inline from the chat window.

So you are pretty safe unless you specifically install a compromised add on.
It is definitely possible for add ons to mail stuff from your account
automatically, including gold because some add ons have a "tip" feature built
in, and some operate by using the mail to help you transfer stuff to a mule
character. So a compromised add on could just set it up so every time you log
in it automatically mails 1000 gold to another account.

But at least you would have to install the plugin explicitly instead of just
compromising yourself via the chat window.

~~~
mdhughes
You can actually run LUA scripts from chat, exactly the same way:

``` /script d("Hello") ```

But the PC/Mac ESO community tends to be older (rated M) and less gullible in
chat. Gold-sellers got a cold reception and rapid bans.

I suspect that'd work on console players, who tend to be younger, if they had
scripting and addons, which they do not.

------
XCabbage
tl;dr: if you run untrusted code from malicious actors, bad things will
happen.

Nothing new here.

~~~
sbierwagen
As a moderately sophisticated user, I wouldn't have expected the function
RemoveExtraSpaces to immediately enable a RCE attack. It sounds pretty
innocuous.

~~~
nfriedly
I don't think RemoveExtraSpaces has any RCE, but it is overwriteable. The
"hack" is tricking the user into overwriting it with a different function
called RunScript.

~~~
nightski
Which is complicated by the fact that any addon (which many users use a dozen
or more) can do this without the user knowing at all on initialization.

~~~
jdmichal
Any add-on added by the user is _already_ executing in the client's space and
has zero need for a vulnerability like this.

It's like saying that any program running on my computer could exploit a
remote code execution bug... I mean, yes, it could. But why would it, when it
already has local execution rights?

~~~
Qwertystop
Because if the add-on just opens up a backdoor, the author can do more
specifically targeted things at their whim rather than blasting everyone who
installed it? Harder to get caught.

~~~
horsawlarway
Still zero need for this kind of exploit. The author of the addon can already
do specifically targeted things at whim at a later point in time.

~~~
nightski
I mean it was already maliciously exploited in a highly used addon. It was a
lot easier to slip in a short one liner than some highly suspicious "hack the
user" blob of code. It was also extremely flexible. They could then do
different things to each person instead of one fixed attack.

------
brootstrap
you guise i got phat loot just enter this magic command and it will appear in
your inventory... Newbies eyes get wide open O.O

