You are reading:
Under the Surface of Azeroth:
A Network Baseline and Security Analysis
of Blizzard's World of Warcraft


Section 3: A Security Analysis of World of Warcraft

As with many popular Internet attractions, World of Warcraft has been faced with a number of in-game issues and offline security concerns. Blizzard has used both legal and technological means to help address a number of these issues for their end users.


Selling Virtual Money
With over nine million subscribers, World of Warcraft has attracted a number of cottage industries that aren't directly part of the game, but instead exist to indirectly provide resources to players. Unfortunately, many of these companies are providing products and services that are a violation of World of Warcraft's terms of service.

Some of these out-of-bounds businesses are related to the acquisition of gold, which is the currency used inside the World of Warcraft universe. These companies acquire gold and then sell it for real-world currency outside of the World of Warcraft game universe. After this real-world transaction, the gold is then transferred to the gamer inside the World of Warcraft realm.

These activities negatively affect the overall gameplay experience for everyone, and Blizzard has been diligent about removing these organizations. They've also made changes to the gaming environment that limit the effectiveness of these companies to exist, such as providing additional spam administration and gold transfer limitations.

The "more honest" gold sellers (that still violate the terms of service) use their own gameplay to acquire gold, just like any other World of Warcraft player. However, recent unethical behavior has been found by gold scammers that acquire a World of Warcraft account name and password through the introduction of a keylogger or spyware. This evil software is usually introduced to the system through a Trojan horse email attachment, resulting in the release of private account information. Once the bad guys have the account information, they loot the "stolen" characters and transfer their gold to other accounts.

Social engineering techniques are also used to entice account information and passwords away from innocent users. Since many World of Warcraft gamers are relatively young, these scam artists prey on their innocence and lack of knowledge. In an effort to remind users of their privacy duties, one of the World of Warcraft startup tips reminds users that Blizzard employees will never ask for a password.


The World of Warcraft Client Paradox
Some built-in functionality of the World of Warcraft client has been given special consideration by security administrators. Because the World of Warcraft client resides on the local hard drive, many cheaters use third-party applications to manipulate or alter the local gameplay experience. For example, some third party programs will move an in-game character around an area automatically and fight monsters to accumulate experience points without any end-user intervention. These third-party programs are clearly a violation of the terms of service, but how can Blizzard manage something outside of their control?

Blizzard has answered this issue by changing the playing field so that the execution of third-party applications is within their visibility. Blizzard has created anti-cheating mechanisms in their client software that examine the computer and gaming environment for suspicious activity. Blizzard has built your agreement to this monitoring into their terms of use:

From Section 14, Acknowledgements:

-----
You hereby acknowledge and agree that:

A. "WHEN RUNNING, THE PROGRAM MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS
MEMORY (RAM) AND/OR CPU PROCESSES FOR UNAUTHORIZED THIRD PARTY PROGRAMS
RUNNING CONCURRENTLY WITH WORLD OF WARCRAFT."

[snip]

IN THE EVENT THAT THE PROGRAM DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM,
BLIZZARD MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD, INCLUDING
WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD
PARTY PROGRAM DETECTED, AND THE TIME AND DATE THE UNAUTHORIZED THIRD PARTY
PROGRAM WAS DETECTED;

[snip]

B. "WHEN THE PROGRAM IS RUNNING, BLIZZARD MAY OBTAIN CERTAIN IDENTIFICATION
INFORMATION ABOUT YOUR COMPUTER AND ITS OPERATING SYSTEM, INCLUDING WITHOUT
LIMITATION YOUR HARD DRIVES, CENTRAL PROCESSING UNIT, IP ADDRESS(ES) AND
OPERATING SYSTEM(S), FOR PURPOSES OF IMPROVING THE PROGRAM AND/OR THE
SERVICE, AND TO POLICE AND ENFORCE THE PROVISIONS OF THIS AGREEMENT AND THE
EULA."
-----

The bad guys built software that looked into the internals of World of Warcraft, so Blizzard updated their software to look into the internals of the cheater's software. This will certainly be an ongoing battle as the two sides look for an advantage over the other, but it's the security administrator that ends up ignoring the infighting and chooses to block the entire war from ever entering their network.

There's no reason to believe that the information that Blizzard collects is harmful, but a security administrator understands that it's impossible to know exactly what information Blizzard might see on a remote computer. For many large organizations, the data stored on a computer system is often private or proprietary. The World of Warcraft Terms of Service clearly state that some information will be transferred to Blizzard, so many security administrators have no other choice but to disallow World of Warcraft activity on their local computers and through their network.

What about the home user? If important corporate information is at risk, isn't important personal information also at risk? The answer is yes, but the owner of the home computer usually has more control over what information can be seen. Unfortunately, the home user often doesn't have the knowledge necessary to properly secure their important information. For example, few home users use programs such as TrueCrypt to keep sections of their hard drive encrypted and private.