World of Warcraft‘s addon functionality is quite powerful and there’s been some fantastic LUA addons for the game but a disturbing hack has been discovered.
Reported by the G Data security Blog, the simple hack involves a player typing on specific command into the chat interface. Once activated, the player will open a backdoor to be potentially robbed by another player.
The code in question is as follows:
- /run RemoveExtraSpaces=RunScript
The command works by replacing an automatic part of the in-game chat channels with a script execution command. The command will allow any attacker to pass commands to the now wide-open client. This command takes advantage of the RunScript API built into the LUA scripting for the game to allow an attacker to potentially wreak any havoc they want. This attack would even allow an attacker to pass completely invisible commands to an end-user. Up to and including completely emptying out a character inventory.
Players need to be aware of this problem and NEVER type in the above command in the chat window, even if asked to by someone you think you know. Also be extremely careful when downloading addons and make sure they come from a reliable source.
The sad reality of any online community is that there are always people looking to take advantage of the ignorance of others for personal gain. World of Warcraft is no exception to this. Social engineering, or the practice of deception to execute a hack is going to be the biggest target vector for this attack aside from poisoned addons. So be aware that people may try to deceive you into running the command.
For example, people could use this command to pose as GMs to players who have run the replacement command previously. I wouldn’t be surprised if spam bots are whispering people LUA commands hoping to find someone who has already run the above command. So if you receive random whispers that look like LUA code, this attack is the reason.
Thankfully, Blizzard have implemented a temporary fix that shows a warning message to users before allowing custom scripts to run, but this will not stop a determined attacker from fooling some users.