6,174,105 Downloads Last Updated: Sep 30, 2012 Game Version: 5.0.5

How To Avoid Getting Your Account Stolen

  • AddOns don't require you to install or run anything, aside from whatever program you use to extract their files. Don't ever run anything you find inside an archive.
  • Make sure your web browser is up to date. Bugs can be exploited to install things on your computer without any confirmation or acknowledgment.
  • If a web page asks you to install anything, don't. The only two extra things a web page might legitimately need are JavaScript and Flash, which you more than likely already have.
  • Make sure the virus definitions for your virus scanner are up to date, and scan the files you download with a virus scanner.
  • If you're connected directly to the internet, make sure you have a firewall of some kind. If you have a router or other device that does network address translation, these often work well in place of a firewall, since people on the internet trying to connect to your computer will end up connecting to the router instead, unless you set up DMZ or port forwarding.
  • These files are often found inside AddOns, and should be completely safe:
    • toc, xml, lua: These files contain text which you can view in a text editor, and are instructions for your WoW Client to interpret. They are executed by Warcraft in a sandbox environment, and so shouldn't be able to do anything dangerous.
    • tga, blp: These are 2D images.
    • m2: These are 3D models, although they're sometimes used for 2D things like arrows because it makes rotation easier.
    • wav, mp3: These are sound files.
    • avi: Video. Believe it or not, AddOns can play video, although it's extremely rare.
    • txt: This is text intended to be read by humans. Likely you or other AddOn developers.
  • If you find any other types of files, then you should be suspicious. The following files in particular have the potential to damage your computer, steal your account information, or get you banned for making modifications to the game client outside of the interface provided by Blizzard:
    • exe, com, bat, ocx, sys, src, msi, lnk, pif, sh, reg, shs, vb, vbs, and many others.
    • Depending on how Explorer is set up, file extensions might be hidden from you.
    • Be careful of filenames that contain lots of spaces. People sometimes name files such as 'file.txt        .exe' in order to trick people into thinking the file is safe. If you see '...' in a filename, then you should avoid trying to open it, it might have been intentionally made longer than could be displayed in order to hide its extension.
    • Don't trust file icons. Executables and shortcuts can have arbitrary icons, and use those icons to make a file look like something safe when it isn't.
    • pif and lnk files are shortcuts and their extensions are generally always hidden by Explorer. You might see the extensions inside an archiving utility or in the name of an email attachment, but have them magically disappear once saved on your computer. As they can have arbitrary icons and be named pretty much anything, all hope of correctly guessing what the file is or does by looking at it goes out the window.
  • Don't follow links you receive in email, as the text displayed in the message doesn't have to match what its actually linking to. Type the address yourself or search for the site using Google.
  • If you're not using your own computer, don't use it for anything that requires a login. Simply browsing the web is fine. Don't check your email from it, as you can't be sure it doesn't have a key logger, and it would be quite bad if somebody got a hold of your email account, as the passwords of most services are reset using email verification.
  • Even if you are using your own computer, don't trust publicly available internet access points in places like hotels, airports, internet cafes, and libraries. With things like ARP spoofing, custom DNS servers, and transparent HTTP proxies, there really is no guarantee that you're viewing the pages you think you are. Even if it hasn't been altered, packets on a LAN can generally be seen by every computer on it, and HTTP doesn't use any encryption at all, so anyone can see the passwords you use.
  • Don't use the same password for playing Warcraft as you do on internet websites. Especially websites related to Warcraft. If the people running the site aren't trust worthy, or their user database gets stolen, or somebody is watching your network traffic, it's likely to be used trying to login into your account.
  • Secure websites, which have URLs beginning with 'https://', such as the login page for the official World of Warcraft site, are only secure if you verify the site's certificate, otherwise someone can make their own and pretend to the that site. Your browser should warn you if the certificate of a site you've visited in the past has changed. Don't ignore this warning! If someone pretends to be the website you're connecting to, you'll get their certificate instead (hence it appearing to change) and they'll be able to see anything you send or receive.
  • Secure websites are only as secure as whoever or whatever is on the other end. You can use a secure connection to tell a serial killer where you live and feel confident that nobody else saw it (unless someone was looking over yours or his shoulder, or he tells his buddies), but it shouldn't make you any more confident that you'll still be alive in the morning.
  • Use the 'Remember Account Name' option of Warcraft. If you don't type your account name, it can't be recorded by a keylogger.
  • If your password can be found in a dictionary, then change it. Using 'password' as your password isn't clever, it's stupid.

So, some people claim that their accounts got hacked while using QuestHelper. In the interest of security, assuming I can be trusted, QuestHelper 0.45 includes a detached PGP/GPG signature, so you can make sure the file you downloaded is actually the file I uploaded, and hasn't been screwed with along the way. Hooray!

  • The signature is detached and is in a separate file. This way people that can't be bothered to verify the file can still use it as normal without needing any extra software.
  • The key I (smariot) signed it with is here, its ID is D95A5472. I can't actually prove that I am who I claim I am, so you'll just have to take it on faith.
  • This is only a guarantee against intentional malice. Accidents still happen.
  • To verify a file using gpg on the command line:
    • To verify the file with gpg, get my key by downloading it from a keyserver: gpg --recv-keys D95A5472
    • Then verify the file with the command: gpg --verify <filename>.sig
    • gpg should say something along the lines of 'Good signature from "Tyson Brown <>"', along with a warning saying that the signature isn't certified, since nobody you trust has signed my key.


Posts Quoted: