I was alarmed to read quite a sensational headline on WoW.com yesterday: “Security flaw allows addons to expose full real life names without user permission.” After familiarizing myself with the issue, I am not at all concerned.
The issue is that if you have RealID enabled, it is possible for interface scripts, and therefore addons, to obtain the name associated with your Battle.net account (your “real name”). The script that was used as a proof of concept used the fact that all players with RealID are friends of themselves to query the list of your Battle.net friends and then send a Battle.net tell to yourself. The chatlog then contains “whisper from/to [your name]” and can be obtained. As an example, try this script by Katinka in the official WoW forums:
/run for i=1,100 do if BNIsSelf(i)then BNSendWhisper(i,”RealID whisper from yourself..”);break end end
The idea is that players could potentially install a bad addon that uses this method to obtain your name. Your name could then potentially be sent to other players. However, due to the sandboxing in WoW interface coding, there is no way your name could leave the game.
This sort of thing has always been possible. There is information you might not want other people to know that addons have access to, like your friends list. A bad addon could potentially tell everyone who your friends are, or how much you play, or when you last played, etc. The fact that your real name is now accessible to addons that you choose to install is a small addition. I bet that it is also possible to obtain the email addresses associated with your account. Some rogue addon could potentially get the email addresses of you and all your friends and attempt to contact gold spammers.
Here are three big reasons why this whole “security issue” is not a big deal:
- You can disable RealID and avoid this if you think it is a problem. Enable parental controls. If you don’t like the changes, don’t use them.
- WoW addons are not compiled and generally are open source. You can view the code, and if any major addon attempted to behave badly, they would be found out pretty quickly.
- Players choose the addons to install. They are software, and any software could potentially be malicious. Spoiler alert: you can install programs on Windows and other OSes that will record every keystroke you make and send this data to a third party.
I think that WoW.com was irresponsible and sensationalist in their reporting on this topic. And unfortunately, this information has subsequently been recirculated around the WoW community without a full and complete explanation.
The post makes it sound as if it is an issue that addons can find you and your friends’ names. It was a feature added in 3.3.5 for increased player community; it should be expected that your interface can see this data in order to show it to you. The post made it seem as if other non-friended players could obtain your name; this only occurs if you add them as a RealID friend, and this is well-known and documented by Blizzard. There is no “security flaw,” the “permission” is adding someone as a friend or using a malicious addon (which could have mined user information for the last five years), and there is likely not going to be a “fix” to this non-existent problem.