July 8, 2010

RealID is a Real Threat

Posted in News, The Player Behind the Toon at 7:59 am by Aduial of WrA

I know I’m probably coming fairly late into this party, but I wasn’t going to torture anyone with trying to write up a post while I was half-zonked out, so eventually I managed to pull myself away from watching the train wreck that is Blizzard’s latest announcements to get some sleep.

Now, I know that there is already hundreds of posts about their RealID on the forums changes, and I’ll get to that, but first I’m going to talk about something that I’ve seen getting thrown under the wagon a bit by said change.

Apparently, there is a huge flaw with RealID in the game, in that if you have it enabled at all (just deleting your friends won’t deal with this, either, my friends have had to say we’re our own parents just to turn on parental controls to disable this feature), anyone smart enough to run a piece of code, or who uses any of a certain number of addons, you can have your full name shown to anyone who cares to look, without knowledge and without permission.

This is not a joke. This is real. And it’s a real problem.

For anyone who didn’t click that last link or doesn’t want to bother going through to find what he’s talking about, here’s a direct link to the quoted. And I’m going to quote it for good measure.

This isn’t the only interesting news to come out today.

http://www.wow.com/2010/06/security-flaw-allows-addons-to-expose-full-real-life-names-witho/

Apparently there are select of certain addons you can use to find out people’s names NOW, before the forum conversion.

Step 1: get a trial account, and addon that lets you use this exploit in aformentioned article.

Step 2: Go to google and get the person’s information that would normally need for billing support (ie, address, phone number, etc)

Step 3: Call blizzard billing and tell them you lost your login information

Step 4: Attempt to login, find out that they have an authenticator.

Step 5: call Billing again, give them the billing information again and ask them to take the authenticator off the account.

Step 6: login

Step 7: ??????????

Step 8: Profit!

Now, I can’t vouch for how easy it’d be to get an authenticator removed, but realistically how many people out there have one attached, still? Not a horribly large amount, I’m sure. I also know if you are polite enough and have all the information you need off the account, Blizz can and will bend over backwards at times, because I’ve witnessed it with my own eyes. That rule about not being able to transfer toons between accounts with different names? Doesn’t always stand, for example. Of course, there was a good reason for it to be done in the case I’d been witness to, but to the best of my knowledge they had no corroboration that the caller was telling the truth and couldn’t get such, and how many would-be hackers can come up with a decent, plausible lie in the spur of the moment? I’d imagine quite a large number likely could.

I know this method has also been done. I linked one above, who was our raid assist who got hacked not that long ago. Though we finally did get out stuff back in about a week. But he’d been fairly careful with his information and such, and while he didn’t have the authenticator yet, the most plausible way is the one above. The same goes for Ithraen.

And yes, Ithraen, our main tank and our raid leader, got hacked while he was on vacation. He hadn’t even been online in 5 days. He found out because he gets email notifications on his phone, and he apparently got banned out of nowhere for 72 hours for money trading. Again, he hadn’t been on, hadn’t had time to get on, and didn’t have a wifi connection to get on… He, too, had been careful. His screwup that allowed him to get hacked? He had RealID turned on.

So that’s two people out of what’s actually a relatively small number of people that I talk to regularly, that I know have been hacked, that this is the most likely way that they did get hacked; needless to say the rest of us have already turned off RealID via parental controls.

For anyone who doesn’t think this is really possible… Yes, yes, it is. You really can get all that information from just someone’s name. People have already done it. Bashiok, a blue, gave out his name in what I understand was a good faith measure, that it wouldn’t give away anything… Only to have his privacy severely violated. There’s a post floating around where someone just picked a random name from credits and found out a lot about him. My friend had me search to see how much and of what I could pull up about them from going on just their name, and while my googlefu skills are decent, they aren’t the best. I pulled up everything I needed to stalk them, just about everything I needed to impersonate them to Blizzard, and if I’d paid just a few dollars I could’ve had what was needed to steal their identity. I could do it with another friend–who has been careful to safeguard all of his information–just because his family is on the internet and not as safe as him about their information.

How many people have a friend or family member or old classmate or even a teacher through the years who knows something about them? How many of them have ever been on the internet, or have had photos posted, or have facebooks, or something? If that number is even one, then the chances are high that there is information online about you, whether you post it or not, that can usually be found for free. Even if it can’t be found for free, it all can be bought.

Now, if all of that can be done from only your name through a flaw in game, where there’s only a limited number of people who can see it, even with the addon… How much bigger is that window of risk, when it’s involving anyone who searches the new Blizzard forums (which are public)? And as those adds always say… Do you know who is searching for you?

This is not paranoia. This is real. This is a threat. All of those comments on the forums, from the few people I’ve seen supporting the RealID change, one of their biggest arguments is “you’re not that important.” Sure. Maybe you aren’t. To them.

Our raid assist wasn’t important to many people but us. He wasn’t even the kind to make any enemies, even if Ithraen is. He’s been a victim. Ithraen’s been a victim. Hell, I’m a nobody and I’ve been stalked twice through my years playing WoW for reasons I don’t even know and probably couldn’t grasp.

You don’t have to be important. You just have to be there and you can be a target.

This is all aside from the fact that it is all too easily to be important to someone. You don’t have to be important to the world, even if you aren’t a target. You just have to be a target for one person. This would be a good time for a link to that Counterstrike story. The person who stabbed the other in a game wasn’t terribly important… But that one act, that one moment, made him important to someone. And that someone decided to track this person down and seek revenge, for that stabbing in a game, by stabbing them in real life.

For the other comments, no, it doesn’t have to be everyone. I don’t think much of anyone’s thinking that the whole of World of Warcraft will be slaughtered by one person who dislikes PvP, or something. But it doesn’t have to be. Just one person is more than enough… One single person is too much.

So, obviously, this is a threat. Even just the security flaw in game, while only now used for hackers, is a threat, and now Blizzard is trying to carry over this threat from the people on your server to everyone capable of using the internet. You can turn a blind eye all you want, bury your head in the sand… but it doesn’t make it go away. If an 18-wheeler is barreling down the road and you’re standing in the middle of said road, it doesn’t matter if you close your eyes and pretend you’re in the middle of a forest, that 18-wheeler is still there and still coming straight at you. You still need to get the heck out of its way whether you pretend it’s not there or not, because that doesn’t change reality. And if that 18-wheeler manages to stop before it hits you, that doesn’t mean you should advocate that everyone should stand in the middle of the road instead of getting out of the way, because while you may be lucky… That doesn’t mean everyone is.

And now it’s time for me to link, because there are so many aspects to all of this I don’t even know where I’d start on my own, and I’d probably just mangle their pretty wording.

Why would Blizzard do something like this? Perhaps Korean law is behind it.

Maybe it’s just another thing to add to the list of their history and another peg on BNet 2.0.

Well, here’s Hitler’s take on it all.

Here’s something on it from WoW Insider.

World of Matticus talks about it in a rational, is somewhat disagreeable at points, manner.

Here’s a post over at Big Bear Butt that I rather like on it.

Another post over at Empowered Fire that I liked and agree with.

Here’s a post at Broken Toys about it, and he does us the service of linking in said post to his previous post on RealID when it first came out, which a good though longer read this this 2-liner.

There was a rumor that while we would have our names shown, Blizzard in fact would not, and here WoW Insider gets some facts on that.

Here’s a Spinksville post on it all. Aaand here’s another, with a ton of links from things she’s found herself.

And finally here’s a post from good ol’ Chastity on it over at Righteous Orbs, and this is actually the first post I read about all of this going down.

About these ads

2 Comments »

  1. [...] Read this post about why RealID is currently a security threat because of the flaw that exposes your real name to people via addons!  If you want to disable it [...]

  2. [...] started on forums, was reported by wow.com, and by the time you blink it’s all over the bloody place. I’ve even seen this one in one place I would never expect it – on Tobold’s [...]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: