What is a backdoor?
A backdoor is something that allows someone, sometimes a developer, to issue commands to retrieve information from or execute commands on a client machine. Backdoors are generally malicious, though occasionally a backdoor created for debugging purposes will escape into the wild because the developers forgot to remove it.
Does ElvUI still have this backdoor?
Not as of October 19th, 2014. In ElvUI's case, the backdoor was removed once they were called out on it, but it had existed in the code for almost two years before anyone who cared and were capable of understanding the code apparently noticed. Version 7.0.8 is when it was taken out. ElvUI Shadow and Light took their version out a couple days after. I have not looked into other possible variants of ElvUI.
What could this backdoor do?
As per the image below, ElvUI's backdoor allowed the developers (or anyone who could hijack the addon) to execute any LUA code they wanted in your WoW session. Basically, anything an addon could do, the developer could send a message to your WoW client running this addon to execute, even though the addon had otherwise known/solidifed capabilities. It literally took a message sent by someone, checked if it was the developer, converted it into code at runtime, and executed it, as per the second blue code block below:
|Source: http://i.imgur.com/WYVJplW.png; loadstring is a LUA API that takes a string and compiles it, labeling the method as func. Later that block the code is run (func()).|
However, I did make a video showing some of the capabilities.
So, to recap, to be potentially affected if someone had a backdoor like the one ElvUI had, you need only be on the same server, raid, or coalesced zone (something that would allow addons to communicate "cross-server"). There's no requirement to be in the same guild, nor the same raid, or the same continent even.
Some of the things that could be done includes, but is not limited to:
- Dismounting you
- Disabling your addons on next UI reload (the attacker needs to know the name of the addon)
- Adding or removing people from your in-game friends list, or ignore list
- Toggle your At-War factions to make them hostile to you
- Deleting your macros
- Creating/Editing macros and binding them to whatever key the attacker wants
- Forcing you to leave your party (including LFR/LFD, incurring the deserter debuff)
- Deleting your equipped gear
- Grabbing your friend data, including Battle.net tags and associated character
- Force your WoW client to quit with no confirmation
Things that also potentially include (where I think theory is sound but I haven't checked it): kicking characters from guilds; disbanding guilds; forcing other parties to open a trade window, put something in it, and accept; Mail gold away at an open mailbox (to your server only); getting your battle.net tag.
I'm sure there's more, but I'll admit that my imagination is sometimes lacking.
Well, someone else told me that it could only do chat commands, so it can't be that bad.
Actually, one of the chat commands you can execute is /script, which--surprise!--lets you run arbitrary LUA code. So even if it could only cause you to perform chat commands--which is incorrect--it doesn't matter, because we're back to square one of someone using the backdoor to execute arbitrary LUA code on your machine.
I trust Elv, he never used it for anything malicious!
There are reports (unsubstantiated but numerous) of events where folks in a raid would /follow one of the devs, or start posting things in chat like, "this is elv". Besides the creep factor of your character moving under someone else's control, even briefly, or the implications of impersonation (imagine if the author had made you say things blatantly offensive, or a bannable offense), different people have different definitions of "malicious" when it comes to character control.
However, even if you trust the authors, if there was a bug in that whitelisting code, someone else could hijack the addon and execute whatever they like. Turns out the code has exactly such a bug.
Notice that the whitelist contains the server and author, but notice that it does NOT mention what continent. So if the authors are from the North America servers, someone could create characters with the same name on EU servers and hijack the code. Or if they're EU, vice versa.
The authors could also end up renaming their characters, moving to another server, deleting their characters, etc. and if someone else grabbed those names on those servers, they could also hijack the addon capability. They could also get hacked, and have their account no longer under their control.
The important thing here is that even if you trust the author, the fact the capability exists at all is potentially harmful.
It was put in as a developer tool, it's important for them to get debugging information.
If you want things like telemetry, or the ability to execute specific commands, you should build that code specifically rather than taking what is at best the lazy way out and just opening a giant hole in your program. You should also let the folks installing your product know what capabilities like that exist so they can make an informed decision about whether to install your addon.
Remote arbitrary code execution is the BIGGEST security bug a piece of software could ever have, and to deliberately code it into your addon is extremely irresponsible, if not outright unethical. Granted, in the sandboxed environment that makes up WoW, it's certainly a lot less dangerous than ones you typically hear about. You can't lose your account (though you could potentially end up communicating your BNet tag), and they can't just throw out gold (but they can throw out equipment!). There's a snowball's chance in hell that it could end up breaking out of WoW's addon sandbox--but I'll never say impossible. There are many, many people out there who are far more clever at this than I am.
But any addon could do this!
This is technically true, which is why only installing things that you trust is important. Ostensibly, if you installed ElvUI, you trusted the authors previously. For some folks, the fact that they put in an undisclosed backdoor that allows them to do what they please (and potentially others if they hijack the addon or their character) is the breaking point for their trust.
Responsible developers don't open giant holes on your machine. Addons are software; no different than installing an app on your iPad or a program on your PC. Once you've installed that software, you have to trust that it won't do things like gather and report out valuable information, or screw with your settings.
But the important distinction here is that the backdoor that was in ElvUI could be hijacked by another party to do whatever that party likes within the addon environment. Your trust in the authors of ElvUI becomes immaterial at that point.
I'll be honest, I build my own UI generally by cobbling together addons instead of using addon packs like ElvUI, so the only horse I have in this race is developer integrity. But frankly, as a professional software developer this backdoor absolutely appalls me, and the completely cavalier attitude the authors have around this event scares me. If anyone on my software projects ever created such a backdoor in a released-to-public product intentionally I would fire them so fast their head would spin.
If you still don't think this is a big deal after all of this, well, I'll probably never convince you unless someone actually exercised this functionality on you. But hey, it's your characters and your own risk assessment.