Surprise! A Security Flaw in Real ID!

File under, “That didn’t take long!” is reporting that there is a security flaw in Real ID that allows addons to expose your information to… well… anybody.  It is all up to the addon.

I expect to hear this story repeated again and again because some part of Blizzard, the part that wants you to expose your information, does not strike me as very interested in security.

Again, as I said in my previous post on the subject, the whole Real ID things seems to go completely against the grain of what I am told is Blizzard’s biggest problem, account security.

When you are fighting a battle to keep your customers from having their accounts hacked and looted, something I am going to guess costs them more money than, say, forum moderation, proposing a system that exposes more information about your users doesn’t seem to be the best plan.

Anyway, I’ve turned on parental controls for my own account and dis-allowed Real ID.

Now I just have to hope there isn’t a flaw in that…

11 thoughts on “Surprise! A Security Flaw in Real ID!

  1. Percy

    Keep in mind that you personally have to download and install (a compromised?) add-on for your name to be exposed. So its not THAT scary yet =O.


  2. Stabs

    This seems to be quite widely misunderstood. People have said things like “so what, it spams my name in trade chat or something?”

    A more insidious way of using it would be to send details of RealID to outside companies. Marketing agencies, hackers, gold sellers would all like to have thousands of WoW players details.

    What you see could be something apparently completely benign while all this occurs in the background.

    Do we know yet whether addons can access all the Real IDs on your friends list?


  3. Saithir

    Stabs – /sigh. It seems you’re misunderstanding how this works.

    Yes, if YOU yourself download and install a malicious addon, it could access a) your name, b) your friends names and friends of friends names. No emails, though, and no character names for FoF. It could also “whisper” it to someone on the same server. No sending stuff to the internet without whispering it to some character, that person saving and posting it. And yes, normally you wouldn’t know that it’s happening.

    The point is that YOU have to have such nasty addon, this absolutely cannot happen remotely without you having malicious code on your hard drive. And now the good question is… WHY would you? And why would thousands of players have it?

    Also, this security flaw is fixed by this addon – – made by the creator of Pitbull UI, so pretty safe to use. In addition to blocking, it also warns you if some addon tries to use the flaw.


  4. Wilhelm2451 Post author

    @Saithir –

    And a return /sigh, as you seem to assume that people either don’t download random addons to try them or that they will somehow innately know that a addon is somehow malicious. Somebody could quite easily copy the functionality of another addon, exploit the security hole, and post it as a new and improved way to do something. People would download it.

    I’m glad somebody has a fix, though how you get the word out about that is about on the same level as how you get the word out that there is a flaw in the first place.

    And the point is, now there is a security flaw we know of, and it is only a big deal because Blizz is pushing this Real ID thing.

    The whole Real ID policy is simply contrary to the security needs and concerns of their customers and you cannot convince me otherwise.


  5. Saithir

    Yes, I realize that people in general are stupid and will do stupid stuff like you say. However, I am still convinced that it’s exactly the same as it is with viruses and keyloggers – it’s your pc, and you’re the one responsible for your pc’s safety.

    If you know that the new addons can be dangerous, you won’t exactly go and try out new ones blindly, would you? If you don’t have the knowledge to know if an addon contains malicious code, it’s better to be on a safe side and not download it at all. Yes, nobody is born with the power of knowing which addon is good or bad, but that’s what you have well known addon sites and comments on them.

    That’s why the /sigh at Stabs, because really, what the people need are not comments about scary things. They do need to know that there’s a flaw, okay, and they need a fix for this flaw, or a way to protect themselves. Or at least a sticky note on a monitor telling “don’t download addons that you don’t know”.

    I’m also annoyed with’s post, as it’s all fear and no fix mentioned at all. At least they’ve bolded the “only use trusted addons” bit.

    It makes me wonder if anyone would make this security flaw this big of a deal if not for the Blizzard’s forum announcement.

    And about the whole thing, I won’t comment on that or try to convince you either way, don’t worry.


  6. Reatu Krentor

    Saithir – “Yes, if YOU yourself download and install a malicious addon, it could access a) your name, b) your friends names and friends of friends names. ”
    I’m more worried about the b) part.
    It just takes one of your friends(or your friend’s friends)to be naive enough to install a malicious mod to have your information out there? How is having a secure PC gonna help against that?

    Now for another thing:
    I was just looking into this from a Euro standpoint and looked up their terms on sharing privacy info. But since I’m no legal(ese) expert I can’t be sure, but I think what they’re trying to do is against European policies regarding privacy. At least when I look at the current terms of service.
    It mentions the Data Protection Directive(Directive 95/46/EC) ; in my interpretation seems to state they can’t release information without express permission.
    Anyone who is a legalese expert could maybe dig further.

    PS. On continuing to look for more info I noticed that the eu site privacy policy doesn’t mention RealID anywhere(it hasn’t been updated since 2008). (

    PPS. And isn’t it completely mental, advising parents to tell their kids not to reveal their real names only to have Blizzard plaster adult’s names all over the interwebs.
    I’m beginning to think the signal to noise ratio is gonna go all the way to noise with this rather then their predicted outcome of civilized discussion. Only the trolls and naive people who don’t care about their name being out there are gonna continue posting.


  7. Bhagpuss

    I was wondering about the EU Privacy laws myself. There was some mention on Tobold’s blog about the possible breach of the U.K. Data Protection Act but having had a browse through it I can’t see that just a name would cause a breach. My guess is that one’s name can’t, in itself, be regarded as private data, but I imagine context will figure. If one’s image can be regarded as “private”, as it can in some contexts, then maybe a case can be made for a name.

    I don’t play WoW any more and with this going on I’m not likely to, but one thing that’s slightly worrying me is the possible knock-on effect of account hacking. I believe dormant accounts get hacked all the time, so isn’t it possible that people who haven’t played WoW in years could find their real name all over the WoW forums?

    Thinking about it, one thing that does surprise me is that Blizzard are able to keep the data on ex-customers from the U.K. at all. The Data Protection Act. Principle 5 of The Act reads:

    “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

    If I am no longer playing WoW, how do they justify retaining my personal details? If I request that Blizzard completely remove all of my pesrsonal data as I am no longer subscribing to their service, do they have a process to make that happen?


  8. Wilhelm2451 Post author

    @Bhag – I am going to guess, and this is only a guess, that Blizzard could make a reasonable case for retaining your personal information by showing how subscribers behave. They cancel their accounts then come back again later with the expectation of having their accounts, characters, and the like intact and ready for reactivation. It happens all the time.

    Blizzard can say that they are, in fact, protecting something that the consumer is very likely to consider an asset that has monetary value. And to do that they have to keep track of who owns said asset.

    I am going to guess, again, that if you called up Blizzard and insisted that you wanted your account wiped completely, that they would, eventually, do that for you. Otherwise, you’ve left something of value in their possession and they need to keep track of to whom it belongs.

    Or such is my theory.

    That Blizzard has a hard time actually protecting said assets is another story.


  9. Reatu Krentor

    @Bhagpuss Anything that can identify a person is considered private data. According to the european data protection directive.

    According to the privacy policy you can request them to remove any information they have on you, but that does mean losing everything attached to that account.


  10. Bhagpuss

    Thanks for the info. That’s about what I figured. While the RealID thing is in remission I won’t be asking Blizzard to delete all my data, characters included. Who knows, I might even re-sub for Cataclysm, although it’s not looking like a priority now that FFXIV came up with that surprise early launch date.

    If, as I somewhat expect, Blizzard try to reintroduce the whole “use your real name” thing when the fuss has died down onlywith a little more subtlety next time, then I think I might find I could manage quite well without my characters since I wouldn’t then ever be playing the game again in any case.


  11. Jemima Aslana

    If Blizzard wants to force its users to use their real names, then they need to be able to protect their users from people who would abuse those real names.

    See, in meatspace when I’m harassed by someone I can get a restraining order. In WoW there are too many stories of nothing being done about harassment. And now, not only that, but now the cyber-harasser can also get access to your real name, and with a name it’s quite easy to find an address. And that is friggin scary.

    I thought I might yet be interested in playing the game, but now? Not so much. I prefer to not have random Jerky McAsshat know where to find me in case I do not sufficiently live up to his expectations of female gamers. Which I usually don’t.


Comments are closed.