I have it on good authority that a good deal of issues received by the Blizzard customer support folks happen because of good people clicking bad links and hackers taking advantage of people who just don't know any better. This isn't a blame game column, but rather a look at the practices and perils of an aspect of addons that presents a danger. We'll hopefully shed some light on the subject, to protect people from malicious attacks on their accounts.
People can assume that addons are safe when they potentially aren't. We're a trusting bunch, especially of something so integrated into the World of Warcraft communities. And for the most part, people are right -- addons can be a very safe and very rewarding part of the World of Warcraft experience. The problem is that the people who want to gain control of your account information know that you and I think like this, and they do their best to knock you off guard.
This might not be a popular article. It's not a popular topic, because addon auto-updaters are popular in the community and, in fact, provide a pretty awesome service when it works and keeps people safe. The information, however, is still something you should be aware of.
What is an auto-updater?
In a nutshell, an addon auto-updater is a program that can find a new version of your addon and automatically install that addon into your World of Warcraft interface directory. Some addons or services use a piece of software that may or may not contain HTML, Flash ads, or other types of code that are potentially harmful. Some of these pieces of code are easily made malicious or could already contain some sort of malware or spyware.
When an addon is updated, the auto-updater program goes out, picks up the new files, and runs its own program to place those files into your WoW interface directory, thus automatically updating your addons. It is convenient, especially for someone who wants a click interface for what many consider to be a clumsy task of installing addons. I am in that camp as well -- installing addons is clumsy.
The issue with auto-updaters is that you don't know what files are being put into your interface folder or what programs are being run. Some auto-updaters contain Flash ads or other HTML that could be running malicious malware or spyware aimed at grabbing your information. Usually, it's not the auto-updater's fault -- most of the time, it doesn't control the advertisements that get sent over to the Flash box living in its programs or even have complete control over what addons get distributed through the network. These aren't the easiest things in the world to detect. Despite this, the potential for hacking goes up when you use an auto-updater because of added exposure to the outside world.
"I've been using it for years!"
One common objection I hear from people about account security, addons, and auto-updaters is that they've been using the updater for years, and it hasn't gotten them hacked yet. The problem with that argument of time-tested strength is that it doesn't take into account the fact that at any time, new code could be downloaded and placed into your WoW
directory. Addons keep changing, new people get infected, and hackers get even more crafty in their methods.
Hackers upload infected versions of addons that might not get caught during the first round of downloads on many popular auto-updaters. Sure, they get found and deleted, but those first few unlucky souls do still bear the brunt of the problems.
Anti-virus applications are not the answer
Many anti-virus programs don't catch malware, spyware, and the types of keylogging programs found in these infected addons. Norton AV, for instance, is more of a business-type anti-virus solution, and it doesn't do a great job weeding out the personal infection stuff that hackers like to stick in addon packs.Google links and searches
This isn't even a matter for discussion -- don't click on Google-sponsored links for addon searches or any links to non-known sources for addons. Hackers know the popularity of addons and are more than welcome to game search terms to find a way onto your system. Some auto-updaters in the past have fallen prey to exactly these problems; looking for one fairly safe auto-updater leads you to something that was engineered from the ground up to take your account information.The solution
The solution to avoiding auto-updater issues is not merely to drop your auto-updater or to chastise the people who make them. Rather, the fight should be for safety and security in the World of Warcraft
addon world. I write a lot about addons and the addon community, and these are all good people who deserve your patronage and kind words. The last thing any of them want is for their own creations to be compromised or sullied by an insecure auto-updater making them look bad, especially in the eyes of Blizzard (which is fielding the phone calls from infected players).
Instead, the solutions are to demand a safer playground and to use your own judgment and internet savvy to prevent yourself from infection. Manually installing addons can help a great deal in that sphere, and it's easier than you think. You get to see the files that you are installing and can quickly check for executable files that might live inside an unknown addon's folder. Check out Addons 101
for a quick guide on manually installing addons.
- Download addons only from trusted sites like WoWInterface, and from Curse.
- Do not click any links about addons or auto-updaters that lead to sites that you do not know.
- Be smart -- if it sounds too good to be true, it probably is.
Curse has contacted us and let us know that their system is based on Microsoft technologies, making their addon updater safer. We highly recommend using theirs, or another trusted source like Wowinterface. Don't just use anything you find on the internet, and always have an authenticator.
This column is for entertainment only; if you need legal advice, contact a lawyer. For comments or general questions about law or for The Lawbringer, contact Mat at firstname.lastname@example.org.