Sunday, October 19, 2014

[WoW] Just How Much Damage Could a Backdoor in an Addon Do?

Recently it was made known that ElvUI--a very popular UI addon suite--had in it something known as a "backdoor". A large number of people have been pooh-poohing folks over being concerned over this capability: The authors never intended to use it maliciously (for various definitions of malicious), and the code was whitelisted to only specific developers. I want to talk about how the developer's intentions don't matter and how much damage such a backdoor could possibly do to your character.

What is a backdoor?
A backdoor is something that allows someone, sometimes a developer, to issue commands to retrieve information from or execute commands on a client machine. Backdoors are generally malicious, though occasionally a backdoor created for debugging purposes will escape into the wild because the developers forgot to remove it.

Does ElvUI still have this backdoor?
Not as of October 19th, 2014. In ElvUI's case, the backdoor was removed once they were called out on it, but it had existed in the code for almost two years before anyone who cared and were capable of understanding the code apparently noticed. Version 7.0.8 is when it was taken out. ElvUI Shadow and Light took their version out a couple days after. I have not looked into other possible variants of ElvUI.

What could this backdoor do?
As per the image below, ElvUI's backdoor allowed the developers (or anyone who could hijack the addon) to execute any LUA code they wanted in your WoW session. Basically, anything an addon could do, the developer could send a message to your WoW client running this addon to execute, even though the addon had otherwise known/solidifed capabilities. It literally took a message sent by someone, checked if it was the developer, converted it into code at runtime, and executed it, as per the second blue code block below:

Source:; loadstring is a LUA API that takes a string and compiles it, labeling the method as func. Later that block the code is run (func()).
This weekend I decided this was an interesting enough problem and sat down, learned LUA, and built an addon that emulated just the ElvUI backdoor. I won't be releasing the code (unless Blizzard wants it), but the fact that I threw this together in about 7 hours of work (including building attack strings) knowing little to nothing about addon development, frankly it would be trivial to reproduce.

However, I did make a video showing some of the capabilities.

So, to recap, to be potentially affected if someone had a backdoor like the one ElvUI had, you need only be on the same server, raid, or coalesced zone (something that would allow addons to communicate "cross-server"). There's no requirement to be in the same guild, nor the same raid, or the same continent even.

Some of the things that could be done includes, but is not limited to:
  • Dismounting you
  • Disabling your addons on next UI reload (the attacker needs to know the name of the addon)
  • Adding or removing people from your in-game friends list, or ignore list
  • Toggle your At-War factions to make them hostile to you
  • Deleting your macros
  • Creating/Editing macros and binding them to whatever key the attacker wants
  • Forcing you to leave your party (including LFR/LFD, incurring the deserter debuff)
  • Deleting your equipped gear
  • Grabbing your friend data, including tags and associated character
  • Force your WoW client to quit with no confirmation
There's plenty of other functionality that's theoretically possible, but I didn't get around to trying/testing because of the effort involved, but frankly that above list should be sufficient. 

Things that also potentially include (where I think theory is sound but I haven't checked it): kicking characters from guilds; disbanding guilds; forcing other parties to open a trade window, put something in it, and accept; Mail gold away at an open mailbox (to your server only); getting your tag.

I'm sure there's more, but I'll admit that my imagination is sometimes lacking.

Well, someone else told me that it could only do chat commands, so it can't be that bad.
Actually, one of the chat commands you can execute is /script, which--surprise!--lets you run arbitrary LUA code. So even if it could only cause you to perform chat commands--which is incorrect--it doesn't matter, because we're back to square one of someone using the backdoor to execute arbitrary LUA code on your machine.

I trust Elv, he never used it for anything malicious!
There are reports (unsubstantiated but numerous) of events where folks in a raid would /follow one of the devs, or start posting things in chat like, "this is elv". Besides the creep factor of your character moving under someone else's control, even briefly, or the implications of impersonation (imagine if the author had made you say things blatantly offensive, or a bannable offense), different people have different definitions of "malicious" when it comes to character control.

However, even if you trust the authors, if there was a bug in that whitelisting code, someone else could hijack the addon and execute whatever they like. Turns out the code has exactly such a bug.

Notice that the whitelist contains the server and author, but notice that it does NOT mention what continent. So if the authors are from the North America servers, someone could create characters with the same name on EU servers and hijack the code. Or if they're EU, vice versa.

The authors could also end up renaming their characters, moving to another server, deleting their characters, etc. and if someone else grabbed those names on those servers, they could also hijack the addon capability. They could also get hacked, and have their account no longer under their control.

The important thing here is that even if you trust the author, the fact the capability exists at all is potentially harmful.

It was put in as a developer tool, it's important for them to get debugging information.
If you want things like telemetry, or the ability to execute specific commands, you should build that code specifically rather than taking what is at best the lazy way out and just opening a giant hole in your program. You should also let the folks installing your product know what capabilities like that exist so they can make an informed decision about whether to install your addon.

Remote arbitrary code execution is the BIGGEST security bug a piece of software could ever have, and to deliberately code it into your addon is extremely irresponsible, if not outright unethical. Granted, in the sandboxed environment that makes up WoW, it's certainly a lot less dangerous than ones you typically hear about. You can't lose your account (though you could potentially end up communicating your BNet tag), and they can't just throw out gold (but they can throw out equipment!). There's a snowball's chance in hell that it could end up breaking out of WoW's addon sandbox--but I'll never say impossible. There are many, many people out there who are far more clever at this than I am.

But any addon could do this!
This is technically true, which is why only installing things that you trust is important. Ostensibly, if you installed ElvUI, you trusted the authors previously. For some folks, the fact that they put in an undisclosed backdoor that allows them to do what they please (and potentially others if they hijack the addon or their character) is the breaking point for their trust.

Responsible developers don't open giant holes on your machine. Addons are software; no different than installing an app on your iPad or a program on your PC. Once you've installed that software, you have to trust that it won't do things like gather and report out valuable information, or screw with your settings.

But the important distinction here is that the backdoor that was in ElvUI could be hijacked by another party to do whatever that party likes within the addon environment. Your trust in the authors of ElvUI becomes immaterial at that point.

I'll be honest, I build my own UI generally by cobbling together addons instead of using addon packs like ElvUI, so the only horse I have in this race is developer integrity. But frankly, as a professional software developer this backdoor absolutely appalls me, and the completely cavalier attitude the authors have around this event scares me. If anyone on my software projects ever created such a backdoor in a released-to-public product intentionally I would fire them so fast their head would spin.

If you still don't think this is a big deal after all of this, well, I'll probably never convince you unless someone actually exercised this functionality on you. But hey, it's your characters and your own risk assessment.
#WoW, #Security


  1. That was a pretty powerful demonstration you got there Talarian. Good stuff! I wonder what Blizzard would do if there was a rampant use of such things like an all out hacking war. Given that a level 1 character is just as dangerous as a max level I would think they'd close up their free to play trial segments?

    1. That level 1 character was on an account I bought for this purpose. Chat commands are limited for trial accounts; you can't contact someone unless they've contacted you first. I believe addon traffic is also limited thusly.

      As well, I don't believe addons can communicate cross faction, so it's not like you'll be in a battleground,realize that your opponent is running this addon with a backdoor and strip them of their equipment.

  2. Have to admit though, one of the things that turned me off WoW was the allowing of mods to begin with. In my mind, using any mod - even one that just rearranges your screen or changes a color of something, should be a banable offense. That's just me of course. Blizzard kept the doors open and now I'm can't help but grin a little at this issue.

    Fortunately for them, I doubt there are as many smart cookies as you playing it - and only a percentage of those that are would be malicious I would think.

    Can you imagine if griefers just started piling in to delete all items of high levs? Even hiding in the high level zones (away from noobs) doesn't make you safe since all it takes is one high level "spotter".

    1. I think mods are extremely helpful and valuable. As with any code, they can do bad things so as always it comes down to:

      Do you think the developer is ethical/trustworthy? Do you think the developer is competent? Even competent developers make mistakes. Bugs happens, but intent does make up part of that trust equation.

      Frankly, I think the vast majority addon developers are good people. Probably a terrible assumption for someone who's security-concious, but the truth of the matter is the folks who write Recount, or DBM, or any number of other addons are probably only doing so because they like being helpful and like having those tools available.

      I highly doubt any such Mad Max-esque chaos will occur because of this capability. And note that not just anybody can exploit this, it's not something that's inherent to every addon. It *could* be, but that window has to be opened by the addon developer, and as I mention, most addon developers would not do that.

    2. "Have to admit though, one of the things that turned me off WoW was the allowing of mods to begin with. In my mind, using any mod - even one that just rearranges your screen or changes a color of something, should be a banable offense."

      And why in the world is that? In Vanilla WoW, you couldn't see enemy health without an add-on -- and I don't just mean raw numbers, you couldn't even see the percent. Had to try to guess it from the green bar. Why would an add-on showing the health of the player in numerical format be ban worthy?

      In general, Talarian, fascinating stuff. Thanks for taking the time to do this.

    3. Thanks Balkoth! It was actually a lot of fun. Finally got to check the "Make a WoW addon" task off my checklist. :D

    4. @Balkoth - in that example it sounds to me that mod gives you an advantage in being to accurately tell the HP of an opponent over a player not using the mod. I prefer games that enforce a level playing field, not just shrug and let the players out mod each other letting the best "hacker" (regardless of how encouraged it is) have the advantage.

      Just my personal preference.

  3. I'm not very happy about this at ALL. I had JUST returned to the game and JUST set up ElvUI how I like it. I agree that it is not worth the risk and am looking for an alternative, although finding the time to set up multiple addons is difficult.

    1. Yeah, this has completely killed any possibility of me ever throwing money at the dev, but the idea of redoing my UI across several characters fills me with existential dread.

    2. The funny/ironic part of this is even with the backdoor removed, chances are ElvUI's code will have more scrutiny than ever before.

    3. I am now monitoring all ElvUI changes and will post on reddit if I see anything weird again.

  4. I thought I'd check back in here since I found a great ElvUI replacement. It's Supervillain UI. What it lacks in customization (there are very few customization options missing) it makes up for in pure style.