A few weeks ago a new type of attack was discovered that could affect the game World of Warcraft, one of the greatest successes of the company Blizzard. The attack in question is a type of scam that would allow an attacker to take control of their victim's user interface at will.
This type of technique in MMORPGs typically uses social engineering (for example, the attacker sells a fake item code for in-game currency to another player). In massive online games of this style, where people create characters and level them up, it is common to find people who promise better items or even paid features of the game at no cost. To do this, they trick other players into providing access to their accounts (by registering on some online portal using their official username and password) or asking them to lend their gear, with the objective of cloning it and returning it in the near future.
A New Type of Attack in World of Warcraft#
Imagine the following situation: while playing, a character controlled by a player who appears to be from a very popular clan approaches us. This player promises to give us good items such as rare mounts, weapons, etc. The trick is that the attacker persuades us to enter the following line of text in the chat window:
/run RemoveExtraSpaces=RunScript
The WoW interface (consisting of the action bar, the chat, and all the graphical elements that are not 3D) and add-ons (small additional scripts that are added to improve the game interface) are written in a scripting language called Lua.
Both the keyword RemoveExtraSpaces and RunScript are legitimate functions of the language and part of WoW's Lua API. Specifically, the above command would do the following:
/runis a command that interprets what follows as a Lua script.RemoveExtraSpacesis a function that removes unnecessary spaces from text.RunScriptis a function that executes text as Lua code.
The RemoveExtraSpaces function is called every time we receive something in the chat. The mentioned command would replace the RemoveExtraSpaces function with the RunScript function (in software development this technique is called hooking). Therefore, since the interpreter itself now executes RunScript instead of RemoveExtraSpaces, this would allow us to execute Lua code directly using our chat.
Let's explain this with an example. Suppose we enter the above command because a player has promised us rare in-game items. As we have already explained, this would cause the RunScript function to replace the execution of the RemoveExtraSpaces function. Therefore, if the other player sends us a private message and includes Lua code (for example, the code message['Test'] which displays an alert message with a text), we will see the mentioned dialog box appear on our screen.
What this attacker has accomplished is executing their own code on our client. This means that the attacker is now able to remotely control our game interface. This behavior is similar to what Trojan horses use on computers (they disguise themselves as useful code, but actually hide malicious code). In a real case, this would leave our account exposed to the execution of any type of Lua script.
Persistence and Hidden Commands#
After the victim has activated this backdoor in their interface, an attacker could send the following chat (sensitive parts are hidden for security):
After executing it, the message would not be visible in the victim's chat. However, it would be executed immediately. To understand this code, we must first know that WoW add-ons allow communication using a hidden channel (remotely or locally). This channel is established using CHAT_MSG_ADDON events.
The script creates a frame configured with various properties, and registers the CHAT_MSG_ADDON event for a specific prefix. Now only whoever knows the prefix will be able to control the victim's interface (something like protecting it with a password); therefore every time the interface receives a CHAT_MSG_ADDON event with the secret prefix, the code will execute transparently to the victim.
What Could the Attacker Do?#
In WoW, players have the ability to trade items with each other. For this to happen, both players must be physically close in the world. Since the attacker has full access to their victim's interface, they could check the character's location in the virtual world. Knowing where the victim is, they could go to where the victim is, remotely open the trade window, add items and gold from their victim, and click the "Accept trade" button. The attacker has managed to virtually steal items and money from their victim without needing to interact with them directly.
This scenario combines social engineering (the attacker convinces their victim to execute the command) with a more technical attack (through knowledge of the Lua language and its execution in WoW).
How to Protect Against These Attacks?#
The simplest protection is never to execute script code in the chat window under any circumstances. Using updated, well-known add-ons from trusted sites will also help keep our account secure.
The real problem can only be fixed by Blizzard by shielding this type of hook between functions in some way. With one of the latest patches they display a warning about this.
So be careful about executing commands and scripts directly in the chat.