Quantcast
Backdoors - WoWInterface
Thread Tools Display Modes
10-17-14, 05:54 PM   #1
Resike
A Pyroguard Emberseer
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,289
Backdoors

Run into this earlier today:

http://www.reddit.com/r/wow/comments..._to_remove_it/

What do you guys think about addons with such functions?
  Reply With Quote
10-17-14, 06:54 PM   #2
SDPhantom
A Pyroguard Emberseer
 
SDPhantom's Avatar
AddOn Author - Click to view addons
Join Date: Jul 2006
Posts: 1,924
I made a personal addon with pretty much the same functions as the backdoor. It allows a remote user to run code on the local machine. As a security measure, it requires the local user to activate it by creating a password the remote user needs to enter in order to start issuing commands.

I only made it as a proof of concept and it worked. As much hacking as I've done using the addon channel, I know there are a lot of ways vulnerabilities can be manifest. This can be anywhere from injecting fake data into the DamageMeters sync routine or spamming Tongues with translation requests in order to retrieve the last typed message.

To answer the question, I wouldn't put any debug code in a full release version of an addon. Exposing a user to remote administration is a can of worms I really don't want to open unless necessary and for as brief of a window as possible.
__________________
ESOUI AddOns | WoWInterface AddOns
"All I want is a pretty girl, a decent meal, and the right to shoot lightning at fools."
-Anders (Dragon Age: Origins - Awakening)
  Reply With Quote
10-17-14, 07:06 PM   #3
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 7,111
There is a reason why we have a rule against them on the site. Any addon found having such will be removed from the site until such time as the malicious (and yes, we view it as malicious) code is removed. Along with an apology made. And as long as Blizzard is okay with it being re-allowed.

Easter eggs are fine as long as:
  • They are off by default
  • They are clearly stated as being in there with the option for users to turn them on if the user wishes to do so.
Period.

Last edited by Cairenn : 10-17-14 at 07:09 PM.
  Reply With Quote
10-17-14, 10:07 PM   #4
Duugu
Premium Member
 
Duugu's Avatar
AddOn Author - Click to view addons
Join Date: Nov 2006
Posts: 851
Well, that's not the first time I'm wondering why loadstring is still available.
I mean, it's hard to find any legal use for it, and they've resticted so many less hazardous stuff over the years ... but this is still there. *shrug*

As in case of ElvUI I really can't see a positive reason at all.
If the developer didn't care about leaving the code in the release version, then it was poor.
If the developer somehow 'forgot' that there was such code, then it was careless
If the code was intentionally there, then the developer is somewhere between risky and criminal.

Poor, careless, risky, or criminal ... any way you look at it its still bad.

Last edited by Duugu : 10-17-14 at 10:22 PM.
  Reply With Quote
10-17-14, 10:53 PM   #5
Phanx
Cat.
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 5,617
Originally Posted by Duugu View Post
Well, that's not the first time I'm wondering why loadstring is still available.
I mean, it's hard to find any legal use for it, and they've resticted so many less hazardous stuff over the years ... but this is still there. *shrug*
Any addon that lets the user input arbitrary code to execute is using loadstring -- custom scripts in kgPanels, custom tags in PitBull, possibly stuff in WeakAuras, etc.
__________________
Author/maintainer of Grid, PhanxChat, oUF_Phanx, and many more.
Troubleshoot an addonTurn any code into an addonMore addon resources
Need help with your code? Post all of your actual code! Attach or paste your files.
Please don’t PM me about addon bugs or code questions. Post a comment or forum thread instead!
  Reply With Quote
10-18-14, 01:30 AM   #6
Torhal
A Pyroguard Emberseer
 
Torhal's Avatar
AddOn Author - Click to view addons
Join Date: Aug 2008
Posts: 1,196
Originally Posted by Phanx View Post
Any addon that lets the user input arbitrary code to execute is using loadstring -- custom scripts in kgPanels, custom tags in PitBull, possibly stuff in WeakAuras, etc.
Not to mention several libraries which need to do this for dispatching.
__________________
Whenever someone says "pls" because it's shorter than "please", I say "no" because it's shorter than "yes".

Author of NPCScan and many other AddOns.
  Reply With Quote
10-18-14, 05:45 AM   #7
Resike
A Pyroguard Emberseer
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 1,289
It seems like that code was there intentionally, since there are multiple reports about it beeing used. But even if the dev never even used in the malocious way only for harmless pranks, it's still very risky and bad.
The fact no one noticed this in he code nearly over 2 years proves it. Personally i would never put something like this into a release state addon, but not even into the alpha ones without noticing the user.
  Reply With Quote
10-18-14, 08:05 AM   #8
Duugu
Premium Member
 
Duugu's Avatar
AddOn Author - Click to view addons
Join Date: Nov 2006
Posts: 851
Not to mention several libraries which need to do this for dispatching.
Any addon that lets the user input arbitrary code to execute is using loadstring -- custom scripts in kgPanels, custom tags in PitBull, possibly stuff in WeakAuras, etc.
Ja, ok. That seems to be legal. ;D Thanks.
  Reply With Quote

WoWInterface » Developer Discussions » General Authoring Discussion » Backdoors

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off