Security Updates

[Lore]

We brought the site down temporarily to patch up a potential security hole that was discovered earlier. Although we caught it very quickly and don't believe anything was transmitted that would put our viewers at risk, it's certainly not a bad idea to run a quick scan on your system to be sure. There's lots of great information regarding account and PC security in the WoW Account Security thread located in our Tech Central forums.

Everything should be up and running properly again now, apologies for the short delay!

[Verminoth]

I would highly recommend removing all sorts of fancy implementations you folks have across this server until you guys figure out the security concerns associated with them.

Earlier there was the shoutbox issue and it was explained pretty well and I felt like you handled it pretty well.

You say that we should do a quick scan of our machines, but what in the world are we looking for?

I am a competent IT hardware/software guy and these shadowy statements about some security issue that might maybe have been exploited says to me:

1) You folks need better logs on access so you know what kinds of transmissions, activities would lead to being hacked and/or exploited.

2) You folks need to be more transparent about what the issue is.

This is troubling!

[Ciderhelm]

I would highly recommend removing all sorts of fancy implementations you folks have across this server until you guys figure out the security concerns associated with them.

Could you clarify what you mean? If you're suggesting we lock down modifications to vBulletin and other non-essential software on the site, this has already been done.

You say that we should do a quick scan of our machines, but what in the world are we looking for?

Viruses and malware of any sort. Exactly what an everyday PC user would scan their computer for.

I am a competent IT hardware/software guy and these shadowy statements about some security issue that might maybe have been exploited says to me:

1) You folks need better logs on access so you know what kinds of transmissions, activities would lead to being hacked and/or exploited.

2) You folks need to be more transparent about what the issue is.

This is troubling!

In general we don't like talking about issues until we are 100% sure that we have resolved the security issue on our end.

In this case, we believe we're dealing with a security issue in vbSEO, which handles all URL rewriting across the site. It is as essential to the operation of the site as vBulletin itself. The security issue is one of SQL injection, which as a general rule is a database issue on our end rather than a public issue. However, this is an exploit that is directed at inserting an iframe into the footer template code of vBulletin.

This is the symptom we're catching and solving as quickly as possible. Anyone who has seen a popup asking about 'header.jpeg' from a url that looks like imageshack saw the added iframe, but we believe would only have seen further issues if they actually went to the url in question.

As for cutting out the underlying issue, we are moving quickly but are at a point where the next big step is going to involve several new software packages (vb4, etc), which means it is not something we can snap our fingers and have done. We would like to have it done in the next couple days. Until then, we have 4 administrators available to immediately shut down any injection attempts.


Doing exactly what Lore posted is good practice. Scan your machines. In other words, run a virus check, etc., as listed in the thread linked in the news post. That's good advice at any time regardless of how severe or minor the issue is.

[Verminoth]

Thanks Cider, you pretty much answered everything. Thank you for the attention to detail and quick response. :-)

[Krenian]

oh noez, tankspot is infecting mah pcz!

(Good job on reporting this for us, appreciated!)

[Inaara]

Lore the hackers stole my bike >_<

[Bodasafa]

About a year ago I clicked a Imageshack link in the UI forums to checkout someones UI picture. It gave me a very nasty virus that basically destroyed my computer. The issue was partly my fault for having a very bad anti-virus program at the time. However I have known many people who have reported virus activity through Imageshack.

I would urge people not to use that site and post pictures by uploading them to tankspot directly and then posting them that way. I would also recommend that people not click Imageshack links that take them out of tankspot.

Tankspot I feel is safe, Imageshack IMO is not.

[Sangdraxx]

While I can't guarantee it (Though this and Curse were the only sites out of the ordinary i visited recently), I seem to have gotten myself a Trojan (Filename was TROJ_PIDIEF.SMM for those it might help find) and my character is having fun mining in Wintergrasp now while I can't access account due to a new Authenticator on it. So anyone discarding the warning to scan, I'd advise you to check anyway. *Goes back to waiting for call centre to not be busy*

[Discordia]

Part of the problem are ads. Even the Google Ad Service is not immune to this issue (although they somewhat reputable, they have too many clients to keep track of and thus are constantly targetted for exploit) Another problem is Google itself as that complicated search engine system of putting some websites ahead of others was the focus of the fake WoW Armory debacle.

I urge all visitors to consider using Firefox and NoScript addon for that browser. You should also consider adding a security service suite to your machine in addition. Keep the email you use for your WoW gaming separate from your normal correspondence (Set up several email accounts rather than just using one for everything)

A friend recently got his account compromised and it was done through a very deceptive and clever method (which I won't elaborate here) The major "gold selling" companies or their affiliates are directly responsible and do not underestimate their ability and resource to come up with even more complicated and clever ways of compromising your account(s).

[Bodasafa]

I urge all visitors to consider using Firefox and NoScript addon for that browser. You should also consider adding a security service suite to your machine in addition. Keep the email you use for your WoW gaming separate from your normal correspondence (Set up several email accounts rather than just using one for everything)

I completely agree. After my infection a while back I switched to Firefox, NoScript, and Mozilla Thunderbird (for e-mail). Combined all that with Avast (anti-virus), a password protection program, and a blizzard authenticator.

Since I have felt much safer and have had zero issues.

[Stigulus]

Just to be doubly sure as i use a lot of your videos etc. (and while I realise the threat is virtualy zero, it may be worth you reassuring others of this) there is no possibility of the problem being transferred from Tankspot to guild websites?

I realise it is something that is virtually impossible but a reassurance from Ciderhelm would no doubt put a lot of peoples minds at rest

[Ciderhelm]

Part of the problem are ads. Even the Google Ad Service is not immune to this issue (although they somewhat reputable, they have too many clients to keep track of and thus are constantly targetted for exploit) Another problem is Google itself as that complicated search engine system of putting some websites ahead of others was the focus of the fake WoW Armory debacle.

Just clarifying, TankSpot runs zero advertising at the moment (except from our own site for our own service). This will likely change in the future, of course, but ads here aren't something to worry about since they're really just as simple as a .jpg/.gif image with an html link.

I urge all visitors to consider using Firefox and NoScript addon for that browser. You should also consider adding a security service suite to your machine in addition. Keep the email you use for your WoW gaming separate from your normal correspondence (Set up several email accounts rather than just using one for everything)

This is really great advice. I would suggest everyone read this and re-read this.

[Ciderhelm]

Just to be doubly sure as i use a lot of your videos etc. (and while I realise the threat is virtualy zero, it may be worth you reassuring others of this) there is no possibility of the problem being transferred from Tankspot to guild websites?

The videos are YouTube and YouTube re-renders anything we upload into a new format. There is no threat at all from our movies unless YouTube itself were compromised.

[Auginine]

Just replying to state that yes a trojan was transmitted to my system, and my account was immediately compromised. (as a note, this is the first virus that I was not aware of contracting in 10 years) I hope that you take security much more seriously from this point, I doubt I will return though.

Good luck in the future.

[Ciderhelm]

I hope that you take security much more seriously from this point, I doubt I will return though.

To be clear, we made people aware of this immediately after we were aware of it and have consistently said everyone should check their PCs. We have done this through three separate venues and the WoW forums.

We also immediately determined the issue and locked down the software package at fault. The software is not an obscure, dangerous thing we've been running, but a program used worldwide. The exploit involved is less than a month old (and the particular variant we were hit with just a few days old).

We followed this up with a redundant step of locking the entire forums down, changing our server, and rebuilding on new forums.

Finally, keep in mind the security hole was not something sitting on our server for days. It was only open for a combined total of about 10-15 minutes, past midnight pacific hours. It would only affect people running insecure/dated browsers. It was not directed at WoW users or this site in particular.

I am sympathetic to anyone who has had issues resulting from this, but please understand that we took this very seriously and I believe we responded in an appropriate way by immediately calling for people to check for malware.

[JeffTheMeatshield]

Well, I understand Ciderhelm, I also can see it from other people's perspective. Tankspot was/is usually regarded where people could go to get reliable information and very spot on discussion about tanking/raiding, and even DPS'ing. There was a feeling of being secure, you didn't have to worry about vid links of boss kills from respectable members of the community.

As this site has grown and gotten absolutely huge, you had to know the darkside was going to come and try to attack, while i'm sure proper vigilance was attempted it wasn't enough, and it's unfortunate that fellow members had to get punished due to it.

[Warwench]

Trojans used to compromise wow accounts are often different from run-of-the-mill malware served up through generic browser exploits. The issue here was not directed at wow/game players and so chances are very slim that it contained code to listen/watch for wow activity. With recent browser exploits they have been typically targeted at online banking. Given the very small window of which Tankspot was vulnerable and the generic nature of the software that was vulnerable I would doubt that any WoW account compromises can be attributed to the issues here, especially because it appears the xploits used were for older browsers.

As for video's, if Tankspot's video's are a problem, then so is all of Youtube. Video's here are still as safe as watching anything on Youtube.

[Acidbaron]

Good to hear you guys responded so fast, no issues were caused on my end. Bitdefender picked it up and prevented the trojan from doing anything before it could cause any harm.

[Lore]

The particular injection we were hit with was not related in any way to hijacking WoW accounts. If your WoW account was compromised, the trojan you received came from somewhere else -- quite possibly the Flash vulnerability that was discovered recently. Even with no malware software running whatsoever, the most anyone who has bothered to update their web browsing software in the past year or so should have been inflicted with was an annoying "Save As" dialog asking to download a .jpeg file. Bear in mind as well that there is usually a span of several days between picking up a keylogger and getting your account hacked.

As mentioned originally, we do not believe that anything harmful was actually transmitted. The suggestion to scan your PC was given out of courtesy more than concern. The updates were made to prevent the injection attempts from occurring again in the future, when they might actually succeed at whatever it was they were trying to do.

Some users (such as Acidbaron, above) reported that various malware blockers identified the issue and blocked it, which is fantastic. This does not mean that anything was actually transmitted, however -- it's very likely, given the circumstances, that the software was simply recognizing the attempt to run a malicious script (which was ultimately non-functional).

So, to reiterate: If you ran a scan, and you found something, great! However, it probably didn't come from TankSpot. If your WoW account was mysteriously hacked at the same time, then you've probably had whatever you found in your system for quite some time.

[Nez]

. It would only affect people running insecure/dated browsers..

I was on the site several time during those period. No problems, no malware, no viruses. My AV is current, my browsers are current, my OS is current.

People need to protect themselves. Expecting any website to be 100% secure is naive. I think the TS team did an excellent job of noticing, finding, and controlling the problem. 99% of other sites would not of even of let you know there was an issue at all. And left you totally unaware that there was any problem and/or that you may of been compromised.