General Gaming News

World of Warcraft LUA Hack Poses Risk to all Players

Blizzard

World of Warcraft‘s addon functionality is quite powerful and there’s been some fantastic LUA addons for the game but a disturbing hack has been discovered.

Reported by the G Data security Blog, the simple hack involves a player typing on specific command into the chat interface. Once activated, the player will open a backdoor to be potentially robbed by another player.

The code in question is as follows:

  • /run RemoveExtraSpaces=RunScript

The command works by replacing an automatic part of the in-game chat channels with a script execution command. The command will allow any attacker to pass commands to the now wide-open client. This command takes advantage of the RunScript API built into the LUA scripting for the game to allow an attacker to potentially wreak any havoc they want. This attack would even allow an attacker to pass completely invisible commands to an end-user. Up to and including completely emptying out a character inventory.

Players need to be aware of this problem and NEVER type in the above command in the chat window, even if asked to by someone you think you know. Also be extremely careful when downloading addons and make sure they come from a reliable source.

The sad reality of any online community is that there are always people looking to take advantage of the ignorance of others for personal gain. World of Warcraft is no exception to this. Social engineering, or the practice of deception to execute a hack is going to be the biggest target vector for this attack aside from poisoned addons. So be aware that people may try to deceive you into running the command.

For example, people could use this command to pose as GMs to players who have run the replacement command previously. I wouldn’t be surprised if spam bots are whispering people LUA commands hoping to find someone who has already run the above command. So if you receive random whispers that look like LUA code, this attack is the reason.

Thankfully, Blizzard have implemented a temporary fix that shows a warning message to users before allowing custom scripts to run, but this will not stop a determined attacker from fooling some users.

The products below are affiliate links, we get a commission for any purchases made. If you want to help support ISKMogul at no additional cost, we really appreciate it.

Related Posts

General Gaming NewsOpinionReviews

StarCraft II: Legacy of the Void Review

Tutorials

How to get more medkits in Crucible

Tutorials

How to get or change liveries in Microsoft Flight Simulator

General Gaming NewsOpinion

Trump increases blame on video games for shootings, plans meeting with industry

General Gaming News

Celeste sells more than 500,000 units, more content coming

General Gaming News

Resident Evil 5 and 6 head to Nintendo Switch October 29

Gaming VideosGeneral Gaming News

Frostpunk Season Pass reveals frosty new expansion, The Rifts

Gaming VideosGeneral Gaming News

Tony Hawk Pro Skater 1 + 2 coming in September

DealsGaming VideosGeneral Gaming News

Oculus Go - a $199 standalone headset, price reduced on other headsets

General Gaming News

PlatinumGames and Tencent partner up for new publishing deal push

Tutorials

Season of Arrivals Badge Requirements in Destiny 2

Uncategorized

Where to farm Grenade Ash in Final Fantasy XIV

General Gaming NewsTutorials

Here's what we know about the Destiny 2: Beyond Light raid

DealsTechnology News

AMD RX 5000 cards to be bundled with Resident Evil 3 and MHW: Iceborne

Tutorials

Is Deep Rock Galactic cross-platform?

Gaming VideosGeneral Gaming News

Pokemon Sword & Shield's The Crown Tundra Release Date

10976 posts

About author
ISKMogul is a growing video game publication that got its start covering EVE Online, and has since expanded to cover a large number of topics and niches within the purview of gaming.
Articles