The Lawbringer: The dangers of addon auto-updaters
by Mathew McCurley 
Dec 10th 2010 at 4:00PM
As new people flood into the new and exciting World of Warcraft that Cataclysm has brought us, security concerns become heightened and the number of people targeted becomes greater. No one wants to get hacked, and no one wants to have to deal with all the mess that comes with the hacking hassle. This week, The Lawbringer continues an important discussion about account security by talking about addons, auto-updating programs, and the potential risks involved.
I have it on good authority that a good deal of issues received by the Blizzard customer support folks happen because of good people clicking bad links and hackers taking advantage of people who just don't know any better. This isn't a blame game column, but rather a look at the practices and perils of an aspect of addons that presents a danger. We'll hopefully shed some light on the subject, to protect people from malicious attacks on their accounts.
People can assume that addons are safe when they potentially aren't. We're a trusting bunch, especially of something so integrated into the World of Warcraft communities. And for the most part, people are right -- addons can be a very safe and very rewarding part of the World of Warcraft experience. The problem is that the people who want to gain control of your account information know that you and I think like this, and they do their best to knock you off guard.
This might not be a popular article. It's not a popular topic, because addon auto-updaters are popular in the community and, in fact, provide a pretty awesome service when it works and keeps people safe. The information, however, is still something you should be aware of.
What is an auto-updater?
In a nutshell, an addon auto-updater is a program that can find a new version of your addon and automatically install that addon into your World of Warcraft interface directory. Some addons or services use a piece of software that may or may not contain HTML, Flash ads, or other types of code that are potentially harmful. Some of these pieces of code are easily made malicious or could already contain some sort of malware or spyware.
When an addon is updated, the auto-updater program goes out, picks up the new files, and runs its own program to place those files into your WoW interface directory, thus automatically updating your addons. It is convenient, especially for someone who wants a click interface for what many consider to be a clumsy task of installing addons. I am in that camp as well -- installing addons is clumsy.
The problem
The issue with auto-updaters is that you don't know what files are being put into your interface folder or what programs are being run. Some auto-updaters contain Flash ads or other HTML that could be running malicious malware or spyware aimed at grabbing your information. Usually, it's not the auto-updater's fault -- most of the time, it doesn't control the advertisements that get sent over to the Flash box living in its programs or even have complete control over what addons get distributed through the network. These aren't the easiest things in the world to detect. Despite this, the potential for hacking goes up when you use an auto-updater because of added exposure to the outside world.
One common objection I hear from people about account security, addons, and auto-updaters is that they've been using the updater for years, and it hasn't gotten them hacked yet. The problem with that argument of time-tested strength is that it doesn't take into account the fact that at any time, new code could be downloaded and placed into your WoW directory. Addons keep changing, new people get infected, and hackers get even more crafty in their methods.
Hackers upload infected versions of addons that might not get caught during the first round of downloads on many popular auto-updaters. Sure, they get found and deleted, but those first few unlucky souls do still bear the brunt of the problems.
Anti-virus applications are not the answer
Many anti-virus programs don't catch malware, spyware, and the types of keylogging programs found in these infected addons. Norton AV, for instance, is more of a business-type anti-virus solution, and it doesn't do a great job weeding out the personal infection stuff that hackers like to stick in addon packs.
Google links and searches
This isn't even a matter for discussion -- don't click on Google-sponsored links for addon searches or any links to non-known sources for addons. Hackers know the popularity of addons and are more than welcome to game search terms to find a way onto your system. Some auto-updaters in the past have fallen prey to exactly these problems; looking for one fairly safe auto-updater leads you to something that was engineered from the ground up to take your account information.
The solution
The solution to avoiding auto-updater issues is not merely to drop your auto-updater or to chastise the people who make them. Rather, the fight should be for safety and security in the World of Warcraft addon world. I write a lot about addons and the addon community, and these are all good people who deserve your patronage and kind words. The last thing any of them want is for their own creations to be compromised or sullied by an insecure auto-updater making them look bad, especially in the eyes of Blizzard (which is fielding the phone calls from infected players).
Instead, the solutions are to demand a safer playground and to use your own judgment and internet savvy to prevent yourself from infection. Manually installing addons can help a great deal in that sphere, and it's easier than you think. You get to see the files that you are installing and can quickly check for executable files that might live inside an unknown addon's folder. Check out Addons 101 for a quick guide on manually installing addons.
Remember:
- Download addons only from trusted sites like WoWInterface, and from Curse.
- Do not click any links about addons or auto-updaters that lead to sites that you do not know.
- Be smart -- if it sounds too good to be true, it probably is.
This column is for entertainment only; if you need legal advice, contact a lawyer. For comments or general questions about law or for The Lawbringer, contact Mat at mat@wow.com.Filed under: The Lawbringer
Reader Comments (Page 1 of 7)
Baba Dec 10th 2010 4:07PM
But my Curse Client and I *LOVE* each other... :'(
She would *NEVER* give me an ATV (Automatically Transmitted Virus)...
Elmo Dec 10th 2010 4:12PM
I would totally instal one if it gave me an ATV (All Terrain Vehicle)
gewalt Dec 10th 2010 6:23PM
Curse has had its installer program infected before (they got hacked server side) and they have also sold ad space to unscrupulous companies that used known security flaws in windows to compromise machines.
Nothing is perfect. I still use curse client.
bishop78 Dec 10th 2010 7:16PM
I use curse client to check for updates then manually download/install them intead us using the client.
Tim Dec 10th 2010 7:04PM
I keep feeling like people are missing the point here. It doesn't matter what limits blizzard places on addons. That's not what he's saying.
What he *is* trying to say, is that your addon client could be downloading anything that calls itself "generic addon 12" regardless of whether it's the actual addon or whether a hacker got into the guys addon account and uploaded a virus-laden addon. Because you're not actually looking at the files that are getting installed, you can't see whether or not there's a .exe that's being installed.
Yes, curse monitors addons for viruses. Mostly through feedback. Which means that people get the virus first, and then leave feedback. Which means that people had to get issues in the first place.
If you consider the potential of sneaking a /exe into an addon the morning of a big expansion, just the number of people downloading it each second is going to give someone a lot of information. Yeah, it'll get reported and taken down. But not before x number of people installed it to their computers.
Seriously. I don't care how long you've been in the "tech" business, or what you think blizzard limits addons to. The point, again, is that you could end up downloading something other than an addon. LUA itself might be limited, but you're not necessarily just getting LUA.
theRaptor Dec 10th 2010 10:54PM
Who cares? If you care about your account security you use an authenticator. The chances of a successful attack against an authenticator is very low and as far as I know one has never been seen in the wild.
My bank account is less secure than my wow account.
There is no point worrying about getting malware through an addon auto-updater when you are several orders of magnitude more likely to get malware from the flash ads on a site like WoW Insider (unless you use browser settings which disable them).
gatovato Dec 11th 2010 2:39PM
Or just use the Blizz authenticator, at first I didnt like the 2nd password, but this expansion has been stable, and im not constantly kicked off. Glad to read Curse, takes security seriously, for $20 a year, its worth using.
Mssr Moo Goo 2 Jan 2nd 2011 2:01AM
if it's not broke, don't fix it.
I install my addons manualy because i don't trust cruse. But do you realy need to update them that often?
DBM now and then when there is new content, Auctionator, Atlas loot.
But that's about it. Most other add ons just don't seem to need much updating between patches.
Hangk Dec 10th 2010 4:08PM
This article is technically misleading.
No addon contains Flash, HTML, or any executable code other than LUA, and the LUA can only do what the WoW addon API says it can do, which is limited to safe behaviors. No addon can steal your account information or take over your computer, period.
It might be possible for your addon *updater* to be Trojaned and/or execute malicious code, but an addon itself simply cannot carry a malicious payload because of the way the game is designed. There Is No Such Thing As A Virus Infected Addon.
Systems administrator & network engineer 12+ years experience sez: keep on using Curse to update your addons 'cos it's just fine.
Jeff Dec 10th 2010 4:13PM
That's exactly what he's saying. Several updaters (The Curse client, for example) run flash ads in the client. The article is about updaters.
Fatbeard Dec 10th 2010 4:16PM
THIS
If your auto-updater is from a trusted source like Curse then you should be in the clear. The only way for the Curse auto updater to be compromised is if:
1) someone hacked curse and you happen to update to a bogus updater (Very Unlikely)
2) Your computer has some malware that specifically targets the curse updater (If so, you have bigger problems)
3) You install the Curse updater from an unscrupulous site. If you're only going to curse.com then this isn't an issue.
The same goes for WoWInterface, both sites go to great lengths to make sure there isn't any unsavory code on their site. I think this article does a disservice to those addon sites that have been nothing but reputable.
Fatbeard Dec 10th 2010 4:23PM
In regards to Flash ads, I can't imagine that Curse or WoWI would not go to the same extreme lengths they do with their addon repository to ensure the ad vendor is reputable.
Crazyates Dec 10th 2010 4:40PM
I have been hacked (or more accurately, keylogged) twice by using the Curse Installer/Updater. There was a certain addon that after I used Curse to installed it, I started getting hacked, even after I changed my password. I Used Curse to uninstall it, and between that and buying myself an authenticator, I was all set.
My only guess is that while the Curse Client is fine, that addon had some sort of installation script that ran a keylogger. This was an addon I had read about from this website (tho I forget the name), and I heard stories of other ppl in the same boat as me.
Oh, and I'm an IT tech here as well, and i'm usually very cautious with my downloads.
Short story: the author has a valid point. He RECOMMENDS using Curse.com, just not the client. Please do so.
Saeadame Dec 10th 2010 4:47PM
I think I heard that the curse updater program has been compromised in the past (yes, someone hacked curse and did strange things to their program), which is perhaps why he's cautioning people. If it's happened before, it can happen again.
chasingsol Dec 10th 2010 4:54PM
What happened was that there were fake sites masquerading as Curse that appeared at the top of Google sponsored result listings. The Curse client has _never_ been compromised. While I appreciate the assertions regarding Flash appearing in the client, what's to say that the very large Flash ad at the top of this very page isn't malicious? Does WoW Insider screen every single ad that they get? I seriously doubt it, because they likely use advertising companies that push ads, rather than screening every single one.
So, if we're all supposed to be terrified of Flash, then we should also stop visiting WoW Insider and 90% of websites out there?
Fade2gray Dec 10th 2010 4:57PM
Entirely agree.
Every Time I read one of McCurley's articles I become less and less impressed with WoW Insider's chioce in replacement for the previous author. This guy has no idea clue about legal issues or how legal systems ACTUALLY work, runs down random rabit holes, and now thinks that an article about the nebulous threat of add-on cliants is an apprpriate topic for the LAWbringers column. Good Lord! He doesn't even back up his asertions with even the remotes proof that the flash boxes in cliants are a real threat. He essentaially just said "flash can contian viruses so all add-on cliants are dangers." Realy? And all the flash adds on the cliants' host sites are some how less so?
McCurley realy needs to go...
Matt Dec 11th 2010 8:29AM
@fade2grey
a.) you speak as though you have a grasp over the law mccurley doesn't. judging by your egregious use of the english language, it must be foreign law...or perhaps some other general legal field i'm not familiar with. not only is your reasoning shallow and thoughtless, but you'd be fired from a firm or clerkship the moment you submitted anything resembling work like that. if it is foreign law, you are in no better place to judge. pot, meet kettle.
2.) with that segue out of the way, wtb spellchecker
Gamma.) if you'd like him to provide proof flashboxes provide viruses, if would be even less on topic and longer, i'm sure, than what he wrote here. it is actually a pretty big legal deal when you download a virus off of an automatic updater and violate the EULA. ignorance is no excuse for not following the law. mccurley is providing a likely necessary PSA, given the expansion will likely lead to more people downloading a ton of addons through various means. imho, kudos for giving the less addon-educated a heads up, mat! keep on truckin'!
Drakkenfyre Dec 10th 2010 6:01PM
I find it ironic that Curse would say theirs is safe, considering they are the one who have infected a ton of people before.
The ADDONS it installs may be safe, but the FLASH ads it displays are not. Idiotic sales people seem to not screen anything they sell space to. Look at Google, 9/10 gooling "WoW Armory" will result in a malware or phishing site as the sponsored result.
"Huh, these guys want to buy ad space? Ok!"
(Buyer places a Flash exploit ad with a keylogger in their ad.)
(Users of the Curse updater get the ad, and if they are not secured against Flash exploits or malware, are hit, and their computers are infected.)
So, either be lazy and not update your addons yourself, and hope that you are completely protected against malware, and one doesn't slip thru, or just take the few moments it takes to look up new versions when they are out.
thinice Dec 10th 2010 6:05PM
Running 'flash adz' in the curse client is just as arbitrary as running them in a flippin web browser.
jcgreentk Dec 10th 2010 6:18PM
Hangk is absolutely, dead-on right about this one. Two words to the wise: "trusted source".