Backdoors

[Resike]

Run into this earlier today:

http://www.reddit.com/r/wow/comments..._to_remove_it/

What do you guys think about addons with such functions?

[SDPhantom]

I made a personal addon with pretty much the same functions as the backdoor. It allows a remote user to run code on the local machine. As a security measure, it requires the local user to activate it by creating a password the remote user needs to enter in order to start issuing commands.

I only made it as a proof of concept and it worked. As much hacking as I've done using the addon channel, I know there are a lot of ways vulnerabilities can be manifest. This can be anywhere from injecting fake data into the DamageMeters sync routine or spamming Tongues with translation requests in order to retrieve the last typed message.

To answer the question, I wouldn't put any debug code in a full release version of an addon. Exposing a user to remote administration is a can of worms I really don't want to open unless necessary and for as brief of a window as possible.

[Cairenn]

There is a reason why we have a rule against them on the site. Any addon found having such will be removed from the site until such time as the malicious (and yes, we view it as malicious) code is removed. Along with an apology made. And as long as Blizzard is okay with it being re-allowed.

Easter eggs are fine as long as:

• They are off by default
• They are clearly stated as being in there with the option for users to turn them on if the user wishes to do so.

Period.

[Duugu]

Well, that's not the first time I'm wondering why loadstring is still available.
I mean, it's hard to find any legal use for it, and they've resticted so many less hazardous stuff over the years ... but this is still there. *shrug*

As in case of ElvUI I really can't see a positive reason at all.
If the developer didn't care about leaving the code in the release version, then it was poor.
If the developer somehow 'forgot' that there was such code, then it was careless
If the code was intentionally there, then the developer is somewhere between risky and criminal.

Poor, careless, risky, or criminal ... any way you look at it its still bad.

[Phanx]

Originally Posted by Duugu Well, that's not the first time I'm wondering why loadstring is still available. I mean, it's hard to find any legal use for it, and they've resticted so many less hazardous stuff over the years ... but this is still there. *shrug*

Any addon that lets the user input arbitrary code to execute is using loadstring -- custom scripts in kgPanels, custom tags in PitBull, possibly stuff in WeakAuras, etc.

[Torhal]

Originally Posted by Phanx Any addon that lets the user input arbitrary code to execute is using loadstring -- custom scripts in kgPanels, custom tags in PitBull, possibly stuff in WeakAuras, etc.

Not to mention several libraries which need to do this for dispatching.

[Resike]

It seems like that code was there intentionally, since there are multiple reports about it beeing used. But even if the dev never even used in the malocious way only for harmless pranks, it's still very risky and bad.
The fact no one noticed this in he code nearly over 2 years proves it. Personally i would never put something like this into a release state addon, but not even into the alpha ones without noticing the user.

[Duugu]

Not to mention several libraries which need to do this for dispatching.

Any addon that lets the user input arbitrary code to execute is using loadstring -- custom scripts in kgPanels, custom tags in PitBull, possibly stuff in WeakAuras, etc.

Ja, ok. That seems to be legal. ;D Thanks.