World of Warcraft Screenshots Contain Your Account Info

 Pages PREV 1 2 3 NEXT
 

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

In fact the only info that could be pulled from a screenshot is the time it was taken, the IP address of server the character in question was connected to, and whether two different characters are on the same account[1].

So in other words, information that could just as easily (and much more legitimately) be taken off the Battle-net Armory. A method that has been around even longer (before the Acti-Blizz merge), can give far more information and has never been complained about ONCE.

[1] and even this would require 'datamining' one screenshot taken with each character, in which case you could probably guess they're on the same account by just looking at who's posting them.

NLS:
To be honest, The Escapist needs to fool-proof read through their articles. Because the majority will read this as "Blizzard attaches all your account info that can be used by hackers in your screenshots" even if you've written "no passwords are attached, only server IP". The title is misleading, and the wording has obviously convinced enough people here that there's reason to worry when there's really not. You know that's gonna happen, so why not try to cater to the crowd that takes the title as proof, and actually write it in a way so that it is 100% clear that it is not a case to worry about.

Well, because it's kind of worrying that this kind of thing, even as far as it goes, is being tracked through screenshots, especially seeing as it was being done covertly. Sure, hackers might not have been able to use this to break into accounts, but there are more than a few things this can be put to use for, heck I'm not even sure I like the idea of Blizzard being able to look at a screenshot and identify who is in it, and where they are.

That said, it DOES raise some interesting questions, if this story is true it would mean Blizzard was full of bunk in not accepting screenshots showing people cheating and exploiting in PVP and such as proof due to not being able to identify the people involved for sure, since they obviously could.

good think I don't play WOW

Denamic:
The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.

Therumancer:

NLS:
To be honest, The Escapist needs to fool-proof read through their articles. Because the majority will read this as "Blizzard attaches all your account info that can be used by hackers in your screenshots" even if you've written "no passwords are attached, only server IP". The title is misleading, and the wording has obviously convinced enough people here that there's reason to worry when there's really not. You know that's gonna happen, so why not try to cater to the crowd that takes the title as proof, and actually write it in a way so that it is 100% clear that it is not a case to worry about.

Well, because it's kind of worrying that this kind of thing, even as far as it goes, is being tracked through screenshots, especially seeing as it was being done covertly. Sure, hackers might not have been able to use this to break into accounts, but there are more than a few things this can be put to use for, heck I'm not even sure I like the idea of Blizzard being able to look at a screenshot and identify who is in it, and where they are.

That said, it DOES raise some interesting questions, if this story is true it would mean Blizzard was full of bunk in not accepting screenshots showing people cheating and exploiting in PVP and such as proof due to not being able to identify the people involved for sure, since they obviously could.

I guess it wouldn't be of much use to submit screenshots of people cheating and exploiting if the only ID they send is your own. However, if they know of a safe and sure way that it's not possible to tamper with these watermarks intact, it could prove as a way to make sure screenshots submitted of cheaters are in fact authentic, and not photoshopped. If the timestamp, server-ip and player-id isn't forgeable into any screenshot, then Blizzard could at least know that the screenshot taken is somewhat real and the cheating actions depicted can be traced. I doubt however that they would let you just take a snapshot of someone and have their IDs tagged and ready for banning.
With some work, it should be possible to use this to screenshot cheaters and have them banned, but it would take some effort.

Aren't MMOs the games to have the least issue with piracy?

Nurb:
Aren't MMOs the games to have the least issue with piracy?

With direct piracy, there's probably some truth in that. But this is an effort to find and eliminate private servers, a problem pretty much unique to the MMO.

Sheo_Dagana:
Gotta hand it to Blizzard. Their fans should be even more pissed off at them right now than they already are, but the audience is jumping to their defense. That's a dedicated WoW player for ya - Blizzard can do no wrong.

Illidonkey
Mal'Ganis
loltimestamp

Go at it, champ.

Because I totally have never given this information to people who have had a conversation with me and WoW came up at one point or another.

True or False, the plug was good enough to get me to read the article.

tzimize:

Fappy:
Shady practice is shady. Good thing I never shared any of my old screenshots.

Yeah. This seems borderline illegal. Is it really ok for Blizzard to be using this method? Could it open for lawsuits against them for something or another?

Considering it's in the Terms of Service, nobody suing Blizzard would have a case, since they agreed to it willingly.

Now I know most people don't read the Terms of Service every time it's changed. And those people are going to find out that harsh reality the hard way.

Oh no, not my account name. If the pirates got that they could... do absolutely nothing since they don't have a password and blizzard has authenticators. Hell, I've seen games that put similar information in plain text at the top of screenshots to identify players. Yeah, this is kind of shady but its not like they're putting your credit card information in screenshots. I gotta add paranoid to my big list of problems gamers have. (Willing to give out credit card information to Blizzard, but worried when they include mostly innocuous data in screenshots.)

Denamic:
The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

what like this you mean ?

http://www.escapistmagazine.com/news/view/118988-Blizzards-Network-Hacked

While actual account passwords are not revealed, it remains possible that hackers could somehow use this data to harass or compromise your account, especially now that this technique is in the open

Somehow... just... just somehow.

I don't know when, i don't know why, i don't know how... but Teh Hackurz man... teh hackurz! You should be scare shitless of this big brother tinfoil hat conspiracy man!! They got you by the Baaaaaaaaaaaaallz man!!

It... it's like... a technique dude, a special bloodline technique that Hackers have! They can minority report your shit and sell your organs online on craigslist for "Botswanian" warlords and stuff... and then.. and then... like, one day... you hear like... a knock on the door and it's like... this fucking huge warlord... from Botswana and he is all like up in your shit going "Hey man i came for your organz gimme your organz!" and you are like "Oh fuck nnoooooo" and then you find out that it was the hackers from world of warcraft dude!!

It's like... totally, yes!

evilneko:

Denamic:
The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.

You think they'll break the encryption of tiny strings of code in millions of screenshots just to find a matching ID, just to... phish someone? You know that phishing is when they send you emails that redirects you to a fake log-in or password reset page and such, right? The thought that anyone would ever go through such an ordeal just for a slimmer of a chance to rip you off, when there's thousands of dumbasses who fall for phishing without any special tricks, is just absurd. It's more likely that someone will threaten you to give them your account information at gunpoint. Which I hope I don't have to tell you is not very likely at all.

And again, it's anonymous. You may be able to determine whose alt is whose, but there's no need to put effort into breaking the encryption of thousands of files to do that when there's countless people on the forums that readily admit who their alts are.

This information is harmless. You've already agreed to give Blizzard anonymous information before you play the game. The only slight Blizzard have committed is by omitting that some of it is embedded in screenshots, even if that information isn't actually personal.

Fappy:
Shady practice is shady. Good thing I never shared any of my old screenshots.

steganography has been around a while, there's not much to it and I highly doubt anyone is going to have the ability to steal an account with the data contained "inside" each screenshot, let alone put the effort in to decrypt it.

Denamic:

evilneko:

Denamic:
The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.

You think they'll break the encryption of tiny strings of code in millions of screenshots just to find a matching ID, just to... phish someone? You know that phishing is when they send you emails that redirects you to a fake log-in or password reset page and such, right? The thought that anyone would ever go through such an ordeal just for a slimmer of a chance to rip you off, when there's thousands of dumbasses who fall for phishing without any special tricks, is just absurd. It's more likely that someone will threaten you to give them your account information at gunpoint. Which I hope I don't have to tell you is not very likely at all.

And again, it's anonymous. You may be able to determine whose alt is whose, but there's no need to put effort into breaking the encryption of thousands of files to do that when there's countless people on the forums that readily admit who their alts are.

This information is harmless. You've already agreed to give Blizzard anonymous information before you play the game. The only slight Blizzard have committed is by omitting that some of it is embedded in screenshots, even if that information isn't actually personal.

Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

evilneko:
Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

Really.
How is an account ID, which is to say a random string of numbers without any actual consequence for people without admin access to the account database, a time stamp, and the server's IP useful?
Even if someone with malicious intents had admin access, your account ID is pretty low on the list of concerns.

Denamic:

evilneko:
Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

Really.
How is an account ID, which is to say a random string of numbers without any actual consequence for people without admin access to the account database, a time stamp, and the server's IP useful?
Even if someone with malicious intents had admin access, your account ID is pretty low on the list of concerns.

Think like Google.

Every little bit of data fits into a larger puzzle that can build up to a pretty complete picture of your target.

And the more complete the picture, the more you can do with it.

evilneko:

Denamic:

evilneko:
Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

Really.
How is an account ID, which is to say a random string of numbers without any actual consequence for people without admin access to the account database, a time stamp, and the server's IP useful?
Even if someone with malicious intents had admin access, your account ID is pretty low on the list of concerns.

Think like Google.

Every little bit of data fits into a larger puzzle that can build up to a pretty complete picture of your target.

And the more complete the picture, the more you can do with it.

Useless information is useless information.
They cannot do anything of consequence with it. Literally the worst they can do is match up two or more screenshots as having been made from the same account. That is trivial information, on top of the fact that said screenshots had to have been posted online to begin with, and it's more than just likely that said screenshots were posted on the same account on the imagehost, so you'd know it's from the same person anyway.

It's a waste of time to even dig it up. The 'hackers' have more accounts to go through than they have time to anyway. Thousands of people fall for phishing; spending time to dig up a random string of code they can't do anything with would just be detrimental to their efforts. Which, now that I think about it, means that if they spend time digging up that shit, they're spending less time actually logging in to other people's accounts, essentially reducing 'hacking.'

We should be encouraging them to do this.

tzimize:

Fappy:
Shady practice is shady. Good thing I never shared any of my old screenshots.

Yeah. This seems borderline illegal. Is it really ok for Blizzard to be using this method? Could it open for lawsuits against them for something or another?

I dont dispute Blizzards right to try to stop pirate servers I guess, well not for this discussion, but they could inadvertently be responsible for peoples personal information leaking out.

The only "account information" they're leaking is the account number. That's it. Not even account name, just a number which is (in all likelihood) only used internally by Blizzard.

I work as a developer on a hosted software product. All of our users have an account name (which they use to log in) and an account number (which identifies them in the database). The first user on the system has account number 1 (or 1 proceeded by 15 zeros if you're being picky). The second user has account number 2. You can probably guess how it goes from there. These numbers would only be helpful to a hacker who already had unrestricted access to our database. In which case, we've got far bigger problems!

The other two pieces of information are the IP address of the server you were connected to (which will either be one of Blizzard's servers or a pirate one) and the time you took the screenshot.

The only use I can think of for the account number is that you can tell if two screenshots were taken by the same person.

Sleekit:

Denamic:
The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

what like this you mean ?

http://www.escapistmagazine.com/news/view/118988-Blizzards-Network-Hacked

Yep. And once you have access to the database, why pick on that one guy whose screenshot you decoded? Why not just steal from two thousand random accounts?

Unless this is part of evil scheme to allow evil hackers to target just players who put together horrible-looking armour sets...

evilneko:

Denamic:
The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.

I could also work that out by noticing that the same person posted both those screenshots on Flickr.

The image itself probably contains far more useful information for phishing (such as what cool items you may have picked up recently and what areas you've been active in) than the data hidden in it.

Sleekit:

Denamic:
The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

what like this you mean ?

http://www.escapistmagazine.com/news/view/118988-Blizzards-Network-Hacked

From the article:

What have been accessed, however, are the email addresses, personal security question answers, mobile authenticator information and cryptographically scrambled Battle.net passwords belonging to players who use North American servers.

Note that "internal account ID database" is not mentioned in any way, shape, or form.

Your tinfoil hat is wearing out.

Either, thank goodness I don't play WoW anymore, not that it would matter anyways I never posted screen shots of myself...... and I was going to say or meh, but instead it's and meh included.

I'm disappointed... I'm going elsewhere now.

Just a small pointer, but the statement "encrypted by a technique called steganography" is incorrect. Steganography is not encryption: you can encrypt data (rendering it unreadable to persons without the decryption key), or you can hide it inside other data (which is what steganography is), or both. I for example wrote a program that encrypts given textual data, then hides it inside the colour channel data of a PNG image using steganography.

Bhaalspawn:

tzimize:

Fappy:
Shady practice is shady. Good thing I never shared any of my old screenshots.

Yeah. This seems borderline illegal. Is it really ok for Blizzard to be using this method? Could it open for lawsuits against them for something or another?

Considering it's in the Terms of Service, nobody suing Blizzard would have a case, since they agreed to it willingly.

Now I know most people don't read the Terms of Service every time it's changed. And those people are going to find out that harsh reality the hard way.

Yep, however I (thank god) dont live in the USA. I live in a country where customers actually have some rights :P So whatever the ToS says it cant make me agree to terms that are worse than my countrys customer rights. How that would work in an international lawsuit I have no idea, and its not that interesting to me since I wont be suing anyone. But in the USA people sue each other at the drop of a shoe (or so it seems anyway) so I'm sure SOMEONE will so blizz over this :o

tzimize:

Bhaalspawn:

tzimize:

Yeah. This seems borderline illegal. Is it really ok for Blizzard to be using this method? Could it open for lawsuits against them for something or another?

Considering it's in the Terms of Service, nobody suing Blizzard would have a case, since they agreed to it willingly.

Now I know most people don't read the Terms of Service every time it's changed. And those people are going to find out that harsh reality the hard way.

Yep, however I (thank god) dont live in the USA. I live in a country where customers actually have some rights :P So whatever the ToS says it cant make me agree to terms that are worse than my countrys customer rights. How that would work in an international lawsuit I have no idea, and its not that interesting to me since I wont be suing anyone. But in the USA people sue each other at the drop of a shoe (or so it seems anyway) so I'm sure SOMEONE will so blizz over this :o

And then the court would look at what could be obtained and how useful it was to someone hacking said person and then toss the case.

And to compound where I said nobody did any research, OwnedCore is a group that runs private servers of Blizzard games so they are competing (illegally mind you) with Blizzard itself and this encoding is a major threat to them.

Now given knowledge of the source, the info becomes even more suspect.

LordLundar:
And to compound where I said nobody did any research, OwnedCore is a group that runs private servers of Blizzard games so they are competing (illegally mind you) with Blizzard itself and this encoding is a major threat to them.

Now given knowledge of the source, the info becomes even more suspect.

Doesn't matter because of anti-trust laws. Those forbid establishing a monopoly, so if Blizzard went up against OwnedCore for running servers, they'd lose because anti-trust laws forbid demanding a total monopoly on something.

OwnedCore may be a rival to Blizzard (they are only if they charge subscription for logging in on their WoW servers) but they can't be illegal competition because Blizzard shutting out everybody else would be a breach of anti-trust law.

In many countries, IP adresses are considered personal information, and abuse of it is a violation of privacy laws. Harvesting IPs illegally like done with these screenshots would for instance violate Dutch privacy laws, so Blizzard can't do a thing against someone in the Netherlands playing on private servers, since gathering that info was illegal, and any and all evidence created illegally is obviously inadmissable.

Worked with software that put digital watermarks into pics long ago.
Fun stuff.

Though piss-easy to bypass with simple OS commands and other software.

Blablahb:
Doesn't matter because of anti-trust laws. Those forbid establishing a monopoly, so if Blizzard went up against OwnedCore for running servers, they'd lose because anti-trust laws forbid demanding a total monopoly on something.

OwnedCore may be a rival to Blizzard (they are only if they charge subscription for logging in on their WoW servers) but they can't be illegal competition because Blizzard shutting out everybody else would be a breach of anti-trust law.

In many countries, IP adresses are considered personal information, and abuse of it is a violation of privacy laws. Harvesting IPs illegally like done with these screenshots would for instance violate Dutch privacy laws, so Blizzard can't do a thing against someone in the Netherlands playing on private servers, since gathering that info was illegal, and any and all evidence created illegally is obviously inadmissable.

Wow, so much misinformation here.

There is no Anti-Trust issue here. Blizzard owns the Intellectual Property pertaining to their games so they have sole legal discretion on who uses their IP. Now if they actively tried to shut down every MMO, Anti-Trust lawsuits would be accurate. A bunch of people not seeking permission from Blizzard to put up their own server (which they wouldn't get anyway) is a violation of the DMCA and various international copyright laws and as such illegal. Get your facts straight.

As for your second one, Because Blizzard owns the Intellectual Property, they are also considered legal owners of the screenshots resulting from the utilization of it, so they are not breaching privacy laws. In fact, they're required to exercise their enforcement of it to comply with certain laws, the Dutch Data Registration Act included. You're saying that a private server host can go to court and say "We stole Blizzard's IP and now they're trying to shut us down!" and expect the court to rule against Blizzard. Not. Going. To. Happen. Now seeing that there's also other more direct ways of obtaining the private server's IP address (which needs to be integrated into the client software to override Blizzards server IPs) the screenshots don't even need to be administered into evidence.

The entire crux of your argument is based around someone committing IP theft and saying that Blizzard cannot stop them when court history worldwide says very different.

Baldr:
Pretty sophisticated technology for 2007. Still don't know about what the data actually contains.

More like very simple method to implement in any lossless image data. Hiding an ASCII string inside a bitmap image is surprisingly trivial for any half decent programmer who knows how bitmap image data is organised.

A good method I would use is modifying subpixel values to be odd or even numbers to represent binary 1 or 0 so you can encode the binary values for each character.

You could even have it set up to represent odd values as black pixels and even numbers as white pixels so you end up with an image of the text you want to hide if you transform the image with a simple bit of code.

Could get a bit tedious with a language like C++ but something like Matlab is perfect for very easy implementation of the above methods.

Sorry if that went over anyone's head.

Misleading title is misleading.

In-game pictures contain your account ID, a timestamp, and the IP address of your server

None of these things can be used to put an account in danger.

I love threads like this, it really weeds out stupid people. Or people who don't fully read an article, which are typically the same thing. I needed a good laugh, and reading how people think that these watermarks could somehow threaten accounts...Good laughs are obtained. That said, it was a rather badly-worded article. Blizzard should do more things like this, they're a multi-million dollar company, they clearly know more about what they're doing than most people on here.

The Escapist is starting to read a lot like Cracked for me, but it's the posters that really provide the humor.

 Pages PREV 1 2 3 NEXT

Reply to Thread

Posting on this forum is disabled.