(3 Kb)
Updated: 07-08-10 05:30 AM
File Info
Updated:07-08-10 05:30 AM
Created:07-08-10 03:48 AM


Version: 20100709
by: Yawning [More]

RealID has to be one of the dumbest things ever.
The actual Real ID implementation is dumber than the RealID concept.

The fact that it is possible for a malicious addon to determine what your First/Last Name is even if you do not otherwise use the feature is flat out inexcusable.

The root cause of this problem is that you are implicitly a valid RealID whisper candidate. Thus with clever use of BNSendWhisper(idx, msg) an addon can pull your name out of the outgoing/incoming chat whisper.

A simple example of this:

/run BNSendWhisper(BNGetInfo(),"RealID whisper from yourself..");
_BNIsNotSelf/BNIsNotSelfTest.lua contains sample code that would be similar to what is used in an actual "malicious" addon. (Hide what you are doing from the user, an example of "light" obfuscation that would hide it from grep)

What BNIsNotSelf does is attempt to work around this by:
Changing BNSendWhisper(idx, msg) to complain loudly if an attempt is made to whisper yourself via RealID (Error message + Stack trace).

If someone else has replaced "BNSendWhisper" before the addon is loaded, an error message will be displayed when the addon is loaded.

* The amount of protection it can provide is strictly dependent on load order. The actual addon is named "_BNIsNotSelf" in an attempt to avoid this issue out of the box for most environments. If "_BNIsNotSelf" is not at the top of the addon list, or load order ends up placing other things before it, it will complain once on load time, and give a list of addons that could potentially have worked around what protection I can provide. For guaranteed results _BNIsNotSelf MUST BE THE FIRST ADDON LOADED.

20100709 - Release from the future. (TM). Don't mess with BNIsSelf() since it's pointless. Check for taint before we hook BNSendWhisper() and complain if we detect any.
20100708 - Initial public release.
Optional Files (0)

Archived Files (1)
File Name
07-08-10 03:48 AM

Post A Reply Comment Options
Unread 07-12-10, 12:47 PM  
A Deviate Faerie Dragon
AddOn Author - Click to view AddOns

Forum posts: 17
File comments: 35
Uploads: 13
No longer needed

As reported here with more info here, the exploit that BNIsNotSelf prevented no longer exists.
Last edited by Nafe : 07-12-10 at 12:48 PM.
Report comment to moderator  
Reply With Quote
Post A Reply

Category Jump: