Malicious code in latest ATLAS (1.32)
 

@Cairenn or moderators -- tried PM first, delete this thread if needed once action taken.

Until one of the admins can remove the file (at least), disable ATLAS or make sure it does not update to version 1.32.

The latest version of ATLAS has the following malicious code in it:

For those who don't understand LUA, when the game loads in, it sends a mail with all gold in your bag to a specific player.

I've submitted a ticket and talked to a GM to report the account the gold was sent to.

I was robbed.
 

I updated this add-on before reading this and my gold is missing.

If you do lose your gold, disable the addon then contact a GM using the in-game 'Ask for Help'. Someone responded fairly quickly was able to restore the gold. Asked to logoff 5min or so to restore it and when logged back it in was there. The GM did indicate they were taking actions on their end -- whether banning or some form of bulk restore to everyone who sent mail to that person I don't know.

Yeah, I've already pulled it. Will be speaking with the 'author' shortly, just in the middle of something else right now.

Thank you for the warning. Hope all those whom this effected get help.

Now that we know this can happen how do we protect ourselves?

Cairenn the "unredacted" code is showing up in several comments on the ATLAS page. you may want to mod those or lock it. Id hate for someone else to take that code and add it to other addons and upload it.

Im surprised its that easy to trigger a mail with all your gold via an addon, i mean its literally just three lines of code...


Thanks for the heads up.

Very bad news, what that guy think ?

Ok, writing this kind of code need ~1h starting from 0 in LUA,

But it's also require 2-3 ZOS GM, your account definitively banned in less than 10 minutes, and now ZOS will get their reflexion on "Should we disable functionnality of sending items and gold in addons ?". ESOUI don't need this kind of people here. We're all volunteers and spend time to prevent this things is really boring.

Okay, we got a problem with dev who leave and no one to take back their work, but seriously, I'm addon dev, if I leave ESO tomorrow, I don't want someone like this being in charge of my work. We're few and it's not easy, lot of us stop their work because maintaining addon is a time gap for us.

I got a 10hours work destroyed because one of my functions was also used by goldsellers, and if in next release some functions will go to private we'll know where it comes from.

It sucks.

Hey all. I wanted to let you know that this is on our radar on the code side and we've been discussing it internally. We of course believe in protecting players from malicious add-ons. However, it is also important to acknowledge that security often comes at the cost of restricted functionality. By making the mail attachment functions private would could prevent this behavior in the future. However, this would also prevent any sort of automated item or gold mailing add-on. In this particular case, it may be worth sacrificing the functionality for extra protection, but I first wanted to ask your opinions on the value of having accessible functions for managing mail attachments specifically. How useful are they to your existing or planned add-ons?

I could concede access to a function that mails gold.

However, say I wanted to write something that would automatically send some items of type x to my group mate for immediate return who is dungeon farming with me (thus clearing some inventory space and allowing us to continue looking for Dwemer Scrap). I would like to retain access to an attachment function that only allows items to be attached without user input.

Or, just had this idea while replying, maybe change the attachment function to be a wrapper for a protected or private function that produces a confirmation dialog before any items/gold are attached to a mail? That way it shouldn't be able to be overwritten to remove the check.

All I want is confirmation dialog when you sending mail with attachment.
It would be better if you can do that without making functions private. However as for me, I really do not mind if addons can't send attachments at all. Automated sending items just to clear bag space is convenient, but also sort of cheating.

I can see the viewpoint that it is "cheating." My main point I guess was that I don't think a machete needs to be taken to the API again.

If this function needs to die, okay. But I would at least like all options to be explored first - in this case a confirmation dialog that cannot end up overwritten and skipped.

Im not a ui author but I am a user of quiet a few addons that at this point I wouldnt want to play without. I would rather have better inventory solutions like maybe more space as in per character and account bank space and a send to bank option from inventory.
As for this particular issue, a confirmation click that cant be automated would seem fair. It would help protect people but still allow legit use.

Best solution would be a confirmation on send instead of attach. It'd kick in whenever the mail being sent has gold attached. The dialog would also have to be protected from any addon access (so it can't be automated).

This could potentially be extended to items, but that's not as critical from two fronts: 1) it's more difficult to send high-value items than a bunch of gold and 2) people do use it for inventory management. I'm not sure the risk/impact warrants it, unless it's implemented as optional from the settings. In which case, each user would decide for themselves whether it's worth the risk.

If functions do need to be made private, the SendMail() function itself would be plenty to stop it. That way the addon could prepare the mail and let the user hit send, similar to how chat is blocked off. This would have the most impact on fully automated addons like Wykkyd's mail return and the GuildMail addons. Both of those are fairly well-used to save a lot of time, so it'd probably annoy a few people.

I'm going to agree with the confirmation on attach. It seems the best and easiest way to please everyone and still be safe.

Definitely a private function that is the backbone of any mail attachment, this would leave mass mailing addons such as mailR alone, allowing for guild automation in sending out notifications, etc.

In saying that, I can foresee Wykkyd being quite unhappy with a dialogue box being thrown up on every mail that has attachment, would be good to see input from Wykkyd here.

On the note of mailing, could you please add a @name <Guild Association>... It would assist greatly in recognition of players from in-guild when dealing with mail.

Whether wykkyd likes it or not is not the question. The functionality that he uses can also be used to send specific items or gold to a random person for his own gain.

A confirmation box with the full mail message/attachments is what you want, if you want to prevent this.

Note that i used the mail functionality in the past to send loot information to my account. If the mail is text only then you can question if it should be confirmed by a dialog box.

confirmation
 

Hi,

A confirmation dialogue is the solution I would like best. It would be even more fun if you could give each add-on certain permissions and in case of lack of permission put out an error notification window that tells you if the add-on tried something and which permission would be required.

Thank you all for the replies. We'll be looking into a secure confirmation for mails with attachments.

Thanks for thinking of us!