Regional FlagPSA: WeakAuras scamming is a thing againSource
avatar
Noobyrogue
Target Source
#1 - 2016/01/17 08:02:00 PM
EDIT: Someone posted the link to my thread on the wow reddit aswell and it's made the front page. I didn't think to do this myself, or I would have - but it's good to know that this is being more widely known - there's even a sticky on reddit about this aswell. I appreciate everyones support, and hopefully this also helps get blizzards attention on this matter, if there is indeed something on blizzards end that needs to be done to stop this thing from happening at all, in any add-on.

EDIT2: The author of the add-on is now aware of this exploit, and I believe is trying to figure out how to fix this, but it's not as easy as it seems. I believe he has the scripts people are using, so hopefully he can find a solution. Let's continue to raise awareness until this is fixed, and I will let everyone know in this thread if I hear anymore news.

EDIT3: I've received some corrections to parts of my post, which I have edited in. I am open to constructive feedback, and if you have something you think should be changed, please say so.

EDIT4: WeakAuras has just recently been updated, with the description that some trade functions have been blocked. However, this doesn't mean that another way around this can't be found, so please be aware of this, and still be careful who you're importing scripts from. Ornyx responded on this thread as I'm sure you can all see, and I imagine he will keep us updated on the status of what blizzard is doing about this.

Well, the thread that was on front page last night isn't there now, so I want to get word out to as many as people as possible. Scamming with WeakAuras is a scam once again, and if you don't know how it works, it's not as difficult as you might think.

WeakAuras is an add-on that allows users to write and save their own custom scripts when they create what is called an Aura - these scripts will execute the commands they're given (if the blizzard API allows it to) when that Aura loads, or when it runs. The add-on also allows users to share their Auras with each other, by linking the Aura - like you would an item in-game, the code is condensed into this link, and when you click on it, you can import it. This add-on is widely used for raiding. Currently, what the blizzard API allows is allowing malicious players to scam people - they will link you an Aura they've created in-game - you're not downloading anything from any external site. This Aura, if loaded by you - will force you to trade the scammer all of your gold if a trade is initiated, regardless whether it is you or the scammer who initiates the trade. You won't see a trade screen. You won't get to click a button to confirm it. All you will hear is the sound of coins, and your gold will be gone.

While you are required to run the Aura yourself to begin with, it is very easy for the scammer to trick you into doing so, for what you may believe to be a good reason. As I don't use WeakAuras, I'm unsure if you have to choose to load it aswell after importing it, but the author of WeakAuras has said on reddit, that some code will execute even if you choose not to run the script.

Don't trust an Aura from ANYONE that you do not trust explicitly - even if it's some guy in trade chat who just wants someone to help him with his WeakAuras - that's a very common way to scam people. I want to get word out to as many people as possible - tell your guildies - tell your friends - I don't want to see anybody get scammed by this - this is something that so many people don't even realise is possible - so the more awareness that exists for this, the better.

avatar
Community Manager
Target Source
#171 - 2016/01/20 02:28:00 AM
Thanks for the information and patience, everyone. We’ve gotten word that an update to WeakAuras will be going out tonight, and should resolve this issue. Until then, we recommend that you disable this AddOn to avoid this issue entirely.

We have plans in place to rectify this type of situation in the future by adding an extra step of security for all gold transfers.

---

We would like to reiterate, once again, that while the use of AddOns is permitted, they are not directly supported by us, and, as such, you should always be wary before downloading anything, or, in this case, importing any script.

If you believe you were affected by someone using this method please report it via a ticket to our Customer Service team here: https://us.battle.net/support/en/help/

In that ticket, please include the realm and name of your character and specify what happened. Our Customer Service team will be able to investigate the matter and take what actions are deemed appropriate.

In the future, please avoid discussing and theorizing about possible exploits on the forums. This can lead to more people getting out there and "testing" the exploit, which can lead to more players being affected. If you encounter a possible exploit, please report it to our hacks team as soon as possible: http://us.blizzard.com/en-us/submit/hacks.html