RealID Security Issues are Overblown

I was alarmed to read quite a sensational headline on WoW.com yesterday: “Security flaw allows addons to expose full real life names without user permission.” After familiarizing myself with the issue, I am not at all concerned.

The issue is that if you have RealID enabled, it is possible for interface scripts, and therefore addons, to obtain the name¬†associated¬†with your Battle.net account (your “real name”). The script that was used as a proof of concept used the fact that all players with RealID are friends of themselves to query the list of your Battle.net friends and then send a Battle.net tell to yourself. The chatlog then contains “whisper from/to [your name]” and can be obtained. As an example, try this script by Katinka in the official WoW forums:

/run for i=1,100 do if BNIsSelf(i)then BNSendWhisper(i,”RealID whisper from yourself..”);break end end

The idea is that players could potentially install a bad addon that uses this method to obtain your name. Your name could then potentially be sent to other players. However, due to the sandboxing in WoW interface coding, there is no way your name could leave the game.

This sort of thing has always been possible. There is information you might not want other people to know that addons have access to, like your friends list. A bad addon could potentially tell everyone who your friends are, or how much you play, or when you last played, etc. The fact that your real name is now accessible to addons that you choose to install is a small addition. I bet that it is also possible to obtain the email addresses associated with your account. Some rogue addon could potentially get the email addresses of you and all your friends and attempt to contact gold spammers.

Here are three big reasons why this whole “security issue” is not a big deal:

  1. You can disable RealID and avoid this if you think it is a problem. Enable parental controls. If you don’t like the changes, don’t use them.
  2. WoW addons are not compiled and generally are open source. You can view the code, and if any major addon attempted to behave badly, they would be found out pretty quickly.
  3. Players choose the addons to install. They are software, and any software could potentially be malicious. Spoiler alert: you can install programs on Windows and other OSes that will record every keystroke you make and send this data to a third party.

I think that WoW.com was irresponsible and sensationalist in their reporting on this topic. And unfortunately, this information has subsequently been recirculated around the WoW community without a full and complete explanation.

The post makes it sound as if it is an issue that addons can find you and your friends’ names. It was a feature added in 3.3.5 for increased player community; it should be expected that your interface can see this data in order to show it to you. The post made it seem as if other non-friended players could obtain your name; this only occurs if you add them as a RealID friend, and this is well-known and documented by Blizzard. There is no “security flaw,” the “permission” is adding someone as a friend or using a malicious addon (which could have mined user information for the last five years), and there is likely not going to be a “fix” to this non-existent problem.

5 Comments

  1. The Real problem is people have been going NUTS over at the Wow forums on the new Real ID changes coming.

    It’s Gone up too 1250 Posts In One Day! (and it’s still growing by 3 each minute O_o)

  2. WoW.com has never been a source for very reliable information. I had honestly never heard of this ‘issue’.

    The real issue as Nextgener said, is Blizzard wanting to release our information to the public on the forums(with realID being required in game coming soon after no doubt).

    This is a step to far, and I may honestly be officially done with everything Activision-Blizzard. Luckily I currently don’t have any of their products on pre-order so I won’t need to deal with any of that crap of getting my money back. There are a dozen MMO’s out there that will be happy to have my $15(or less) a month and they won’t be releasing my real name to anyone.

    Blizzard has turned down a dark road, and I won’t follow them down it.

  3. Does Blizzard want to sell our information? i would imagine not. Does Bobby Kotick and Activision want to sell our information in order to tap a vast targeted advertising moneypool? Yes, by his own admission.

    @Heartbourne. Perhaps sir, it didn’t occur to you that it’s not that fact that our information revealed by this ‘security leak via Real ID’ can be taken from Blizzard’s databases. It’s the fact that some schmoe out there with a pen and paper can write a person’s REAL name he’s taken via said leak down on a peice of paper and use it for possibly nefarious purposes.

    As far as us ‘tinfoil’ hats being crazy and overblown? I’ve seen your videos on a previous website sir. You look fairly young. Perhaps maybe HS/College age. Once you mature a bit and stop with the name calling, you too will find out that employers who might otherwise employ you won’t due to the percieved stigma of being ‘a gamer’.

  4. @Highwayman

    Let’s calm down a bit before attacking each other, ok?

    There’s been lawsuits in the past because of employers who turn down prospect employees because of playing MMOs because it classifies as discrimination. I’m not sure if laws have been passed, but very few do it anymore unless it’s big name corporations.

    I believe iTZKooPA had posted on it back on Project Lore when it happened a year or so ago.

Comments are closed.