I was alarmed to read quite a sensational headline on WoW.com yesterday: “Security flaw allows addons to expose full real life names without user permission.” After familiarizing myself with the issue, I am not at all concerned.
The issue is that if you have RealID enabled, it is possible for interface scripts, and therefore addons, to obtain the name associated with your Battle.net account (your “real name”). The script that was used as a proof of concept used the fact that all players with RealID are friends of themselves to query the list of your Battle.net friends and then send a Battle.net tell to yourself. The chatlog then contains “whisper from/to [your name]” and can be obtained. As an example, try this script by Katinka in the official WoW forums:
/run for i=1,100 do if BNIsSelf(i)then BNSendWhisper(i,”RealID whisper from yourself..”);break end end
The idea is that players could potentially install a bad addon that uses this method to obtain your name. Your name could then potentially be sent to other players. However, due to the sandboxing in WoW interface coding, there is no way your name could leave the game.
This sort of thing has always been possible. There is information you might not want other people to know that addons have access to, like your friends list. A bad addon could potentially tell everyone who your friends are, or how much you play, or when you last played, etc. The fact that your real name is now accessible to addons that you choose to install is a small addition. I bet that it is also possible to obtain the email addresses associated with your account. Some rogue addon could potentially get the email addresses of you and all your friends and attempt to contact gold spammers.
Here are three big reasons why this whole “security issue” is not a big deal:
