Could WOW Roster be used to attempt WOW Account Hack

Requests, feedback, and general discussion about WoWRoster
DO NOT post topics about WoWRoster AddOns here!

Could WOW Roster be used to attempt WOW Account Hack

Postby noneyabiznezz » Thu Aug 09, 2007 1:03 am

Let me tell a little story and let me know what you guys think.

I am the webmaster for our guild. I recently installed WOW Roster (No Addons) and everything has been working beautifully. Nothing suspicious yet....

On August 1st, I recieved an email from Blizzard Entertainment that was a notification of a change to my user account information and that I should click this "link" to continue processing my requested changes.

The email address and phone number of my account were being changed to something other than what I set them to.

Upon attempting to log into WOW using the game client, my account was locked out. I quickly logged into WOW Account Management (From another computer, not used for gaming) and changed my account password. No further problems with this account.

I was quite confused and have been pondering this event ever since.

The more I thought about the problem, the more I analyzed all of my behaviors that could have led up to this event. Today, I called the telephone number that was listed on the email from blizzard.

Ring...Ring.. Hello? This young man answers the number I called. He is shocked to find out that his phone number is being used in an attempted online hacking scam. Guess what? He too is a World of Warcraft player. And this is where the plot thickens.... He too installed WOW Roster last week....

Could the WoW Roster site be the cause? Could someone derive the official WOW Account name from the character names listed on the WOW Roster Site?

It's to much of a coincidence to be ignored, what are your thoughts?
noneyabiznezz
WR.net Apprentice
WR.net Apprentice
 
Posts: 3
Joined: Thu Jul 12, 2007 10:49 am

Could WOW Roster be used to attempt WOW Account Hack

Postby zanix » Thu Aug 09, 2007 1:21 am

Roster does not and cannot request, store, or access your account name or password.
When you upload files via the upload page, the web browser does not send the path to your lua file.
You also cannot store your account name or password in the lua data file as well, WoW's API prevents that.

I would defiantly run a virus and spyware scan on your computer.
It might be possible you picked up something.
I know some of the addon sites have the occasional breach of security and malware can get onto users system.

Also, did you click the link in that email? Or did you go directly to the wow account page to check this?
I know blizz sends a confirmation letter saying you changed your info, not a link to confirm your change.
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

Could WOW Roster be used to attempt WOW Account Hack

Postby noneyabiznezz » Thu Aug 09, 2007 2:02 am

Zanix,

I agree with your assessment. I don't believe an acutal account compromise occured but my account name had to be read from somewhere. I find it very suspicious that the phone number displayed in the email from blizzard belonged to somebody else that recently installed WOW Roster.

What are the Odds? 11 million paying subscribers and the account information used to in an attempted hack belongs to somebody else that happens to be a webmaster that recently installed WoW Roster.

Could someone glean the actual WOW account name based on the information stored by WOW Roster? That's all I am asking, nothing about the password. What about UniLoader?

I am going to call the guy back to see what other web related development tools/addons we have in common.
Last edited by noneyabiznezz on Thu Aug 09, 2007 2:05 am, edited 1 time in total.
noneyabiznezz
WR.net Apprentice
WR.net Apprentice
 
Posts: 3
Joined: Thu Jul 12, 2007 10:49 am

Could WOW Roster be used to attempt WOW Account Hack

Postby zanix » Thu Aug 09, 2007 2:52 am

I don't believe there is a way to get the account name based on the info in Roster. As I said, Roster cannot access this info.

As for UniUploader, it can read the account name, as its in the file path to CP.lua.
If you downloaded UU from an untrusted source they could of inserted code to send your account name somewhere.
If you mistakenly entered your account name/password in the user name/password boxes in UU, someone *could* intercept that and get this info if you have malware on your system, or they compromised your web server, or somehow entered an additional upload URL in UU.
You should never enter your account name and password in the user name/password boxes in UU.

UU doesn't send your account name ever (unless it falls under the conditions above). As for the lua files, it only sends the file itself (without the file path).
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

Could WOW Roster be used to attempt WOW Account Hack

Postby noneyabiznezz » Thu Aug 09, 2007 4:11 am

Thanks for the response. This one is driving me crazy.

I don't believe the machine is compromised by a virus or malware. I spent last night running several different Virus scanners. I also ran adaware, SS&D & AVG.

The website might be the next suspect. I'll let you know what I find.

Thanks,

-Brian
noneyabiznezz
WR.net Apprentice
WR.net Apprentice
 
Posts: 3
Joined: Thu Jul 12, 2007 10:49 am

Could WOW Roster be used to attempt WOW Account Hack

Postby zanix » Thu Aug 09, 2007 4:22 am

Good luck, and let us know your findings
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

Could WOW Roster be used to attempt WOW Account Hack

Postby tuigii » Thu Aug 09, 2007 6:10 am

To make this very very clear :
Your WoW password is never ever used - except YOU entering it IN the WoW login screen & YOU logging into their account handling sites.

Never ever use or store it elsewhere.
It isn't needed elsewhere - like credit card (acces) numbers etc.

Mail from Blizzard ?
Saw them ones, my phone number was not in it - true is (I just checked) - one can give them the daytime and night time phonenumbers [so, I did, thanks !).

Anyway, I just READ mail from my bank (never had one), Paypal, VISA, etc. I don't care less for links in them.
I login to their sites - I bookmarked their sites (https ones) because, ones, I left my credit card number on them - I'll better keep hold on them - they don't need to keep hold on me :wink:

Your password have been fallen in wrong hands - where did they get it from ?
(hyjacked the wow login part of your WoW version ???? Wooooow - those guys aren't craking WoW then, they could doing better elsewhere : where these criminal acts really PAY.)
What can they win with it ? Your goldies -> lololololol.

Ok, I admit, as you said : I don't get it neither - But I put my hands into fire for the fact that WoWRoster isn't doing anything wrong.
The file thats being transfered doesn't counting any sensitif information.
Even the name of the file isn't transfered.
IE (or any other brower) is ordered to send over a file.
Thats it.
User avatar
tuigii
WR.net Master
WR.net Master
 
Posts: 891
Joined: Wed Dec 27, 2006 12:57 pm
Location: Somewhere in the South Ouest of France

Re: Could WOW Roster be used to attempt WOW Account Hack

Postby MattM » Fri Aug 10, 2007 7:59 am

noneyabiznezz wrote:Ring...Ring.. Hello? This young man answers the number I called. He is shocked to find out that his phone number is being used in an attempted online hacking scam. Guess what? He too is a World of Warcraft player. And this is where the plot thickens.... He too installed WOW Roster last week....


Paranoia runs deep in the WoW Community :D
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

Could WOW Roster be used to attempt WOW Account Hack

Postby MattM » Fri Aug 10, 2007 8:03 am

woot for good forum signatures! :P
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA


Return to General Support & Feedback

Who is online

Users browsing this forum: Bing [Bot] and 0 guests

cron