World of Warcraft Screenshots Contain Your Account Info

[Charli]

Actually, if anyone had done ANY research into the information they would find that any of the information is useless outside Blizzard.

-It's an Account ID aka an alphanumeric code only used inside Blizzard and without the database linking a proper account name with their account ID it's useless.

-It's the SERVER IP not the PLAYER's IP. Someone trying to run a trace will find out it's only the server they're trying to harass.

I will repeat: There is NO information in that watermark that is useful to anyone outside blizzard.

Knowledge is power and the people perpetuating this BS paranoia are clearly unarmed. Apparently Andy isn't the only one who can relink bad articles.

...I actually ASSUMED the Screenshots contained a measure like this...

And yeah, verified this on MMO champion. Escapist I am disappoint at scaremongering.
If hackers can hack me with that, then... they deserve my account.

 

[Nuke_em_05]

While actual account passwords are not revealed, it remains possible that hackers could somehow use this data to harass or compromise your account, especially now that this technique is in the open. Basically, when it comes to matters of account security, it's generally best not to disclose anymore than you have to.

...Thankfully, the fix is pretty easy. Concerned players can either use high-quality screenshots (using the '/console SET screenshotQuality "10"' command), or use a third party screenshot utility to ensure their details don't inadvertently leak out.

Nope.

Your account ID is useless to anyone outside of Blizzard. The server IP says nothing about you individually. A "hacker" can probably get better information from the content of a screenshot; character/guild name, chat logs, appearance, etc. Posting a screenshot at all is "dangerous" in that respect, the details in the watermark are not.

You imply that a "fix" is necessary. There is nothing to be concerned about. There are no dangerous details inadvertently leaking out.

Sensationalist post is sensationalist.

 

[Aeshi]

Though the sad fact is a vast, vast majority of people are complacent or simply naive about their online security.

Well we're not talking about the "vast, vast majority of people", we're talking about Hackers, Pirates, people who run private servers and other people who essentially bypass security as a hobby. People who really, really should know better than to blindly assume "oh well there's no way THIS piece of code could contain any security measures, and I'm so sure I'm not going to bother checking because I'm too busy being right."

 

[Mamzelle_Kat]

The title of this article is so misleading. It looks unnecessarily sensationalist.

It's a trend I've noticed a few times on this site. To have a very aggressive title saying THIS IS HAPPENING, only to read the article saying "ok that's not actually true, but I did get you to click this link right? LOL".

 

[The Lugz]

guys, this is total crap even if it's true which frankly i doubt
it's supposedly hidden in the jpeg compression data
so save your files as bitmaps, or tga and said data is gone.
also save any jpeg with compression and sharpening up 99% and you'll see odd artifacts, banding blocking and blurring such as :

http://shutha.org/node/829

jpeg just has crappy algorithms

until someone comes up with a program that can read jpeg artifacts and get out data that isn't nonsense it's pure tinfoil hat

Why disable the hacked compression data when altering the quality of the jpeg file output?
Why not create .bmp .tga ect encoding programs?

it makes no logical sense to attempt to spy on activities when your only seeing certain screenshot settings

 

[KeyMaster45]

Though the sad fact is a vast, vast majority of people are complacent or simply naive about their online security.

Well we're not talking about the "vast, vast majority of people", we're talking about Hackers, Pirates, people who run private servers and other people who essentially bypass security as a hobby. People who really, really should know better than to blindly assume "oh well there's no way THIS piece of code could contain any security measures, and I'm so sure I'm not going to bother checking because I'm too busy being right."

Because only bad people have bad stuff happen to them on the internet, right?

I'm not concerned about them, they know what they're doing and hopefully they're aware of the risks. I'm more concerned about the effects this will have on people who aren't in the group of miscreants you rattled off.

Being uninformed about something that puts your digital security at risk and not knowing you should be seeking out the information to protect yourself does not mean you deserve to whammied by some prick hacker looking to prey on your naivety. That's what I take issue with from your original post and now your imagined thought process of someone who really doesn't know what they're doing. They don't deserve the negative consequences that come from a company like Blizzard hiding their info in such a way that only the people who wouldn't fall prey to an exploit from it could find it. What did they do that was so wrong other than taking a screenshot and posting it to the web? There's a reasonable expectation there that such a frequent and accepted practice in the gaming community won't result in someone being given the tools to hijack their account.

 

[shintakie10]

Actually, if anyone had done ANY research into the information they would find that any of the information is useless outside Blizzard.

-It's an Account ID aka an alphanumeric code only used inside Blizzard and without the database linking a proper account name with their account ID it's useless.

-It's the SERVER IP not the PLAYER's IP. Someone trying to run a trace will find out it's only the server they're trying to harass.

I will repeat: There is NO information in that watermark that is useful to anyone outside blizzard.

Knowledge is power and the people perpetuating this BS paranoia are clearly unarmed. Apparently Andy isn't the only one who can relink bad articles.

So, when you say if "anyone had done ANY research into the information", you'd hoped that the author of this post would have reported that "It's the Account ID" and the "SERVER IP." So, basically, precisely what he wrote in the article.

In-game pictures contain your account ID, a timestamp, and the IP address of your server.

I'm very confused as to what grounds you attack both Ian and Andy.

I would assume it has somethin to do with the fact that, despite havin apparently done his research and knowin exactly what is supposedly in the screenshots, he uses this line.

While actual account passwords are not revealed, it remains possible that hackers could somehow use this data to harass or compromise your account

Which, if he actually had done the research, would be the stretchiest overreach ever. There is absolutely no way short of gettin a full list from Blizzards computers of every account number, then another list that ties those account numbers to the actual accounts (since they are literally an arbitrary number attached to an account that is in now way shape or form actual visible to anyone outside of Blizzard.

The amount of work needed to even harass a player through this would not remotely be worth it. You'd be able to harass or even attempt to steal an account by simply analyzin the actual contents of the screenshot itself.

Print screen is how you take screenshots in WoW, then the game automatically saves what you took to the WoW folder. Also up until now nobody knew about this so they had no reason to be afraid of letting the game auto save the picture. It's had that function since it's release in 2004 and according to the group that found this the watermarks don't show up on any screenshots prior to Blizzard's merger with Activision in 2008.(apply tinfoil hat if you so feel like) As it stand anyone who's posted a screenshot since 2008 to the internet was caught by this, so it's rather callous to say they deserve whatever happens when they had no idea of a security threat in the first place.

Are you sure? Because on my copy of the game "Take Screenshot" is bound to my Home key, and I can still take pictures with Printscreen and then pasting the result into Paint.

Perhaps that does justify it a tiny bit, but you'd still have to be pretty stupid to get caught out by that when you've found a workaround for literally everything else. (and of course they had no idea there was a Security Threat, that's what makes it a "Security THREAT" and not a "Security mild inconvenience")

Print screen is what's always done the trick for me, then again it never occurred to me that they would also bind that function to the home key. I'm not saying that there aren't options to workaround this problem, just that since this is something that effects people's posted screenshots going all the way back to 2008 that unless they've kept a detailed account of where they've uploaded/posted/linked them you can't really say they deserve negative consequences. (then again I don't think anyone actually deserves to have their personal accounts compromised, especially to threats they had no prior awareness of) Even now that it's out in the open there will remain people who never hear about this and continue on their merry way.

Those of us who are actively concerned about our online security we'll patch this little leak in our defense and then turn our attention to why the crap was this deliberately put there in the first place. Though the sad fact is a vast, vast majority of people are complacent or simply naive about their online security. The Blizzard CS forums are testament to that with the multitude of people who's accounts are hacked and have no idea how it could have happened. Lord knows Blizzard has tried to idiot proof their system (though this incident dose raise questions about wtf they were think with this watermark) and yet accounts are still compromised. What may seem like common sense security measures to you or me is something that someone else would have never dreamed they'd need to watch out for. Unfortunately most people don't become concerned about their security until after they've been hit with the consequences, and even then there will steps they could take which they will either not know of or understand how to carry.

The solution to this particular problem may be simple, but I don't agree that anyone who is affected negatively deserves those consequences. Especially because they'd be the direct result of Blizzard plastering just enough info so the account hackers can get their foot in the door.

Again. There is literally no feasible way for anyone to compromise an account with the information in the screenshot. Literally. None. Anyone outside of Blizzard would get an arbitrary number and a ip address to a Blizzard server. End. Of. Story.

What exactly do you think someone can do with an arbitrary number and a ip address to a Blizzard server?

 

[tzimize]

Shady practice is shady. Good thing I never shared any of my old screenshots.

Yeah. This seems borderline illegal. Is it really ok for Blizzard to be using this method? Could it open for lawsuits against them for something or another?

I dont dispute Blizzards right to try to stop pirate servers I guess, well not for this discussion, but they could inadvertently be responsible for peoples personal information leaking out.

And it also begs the question, how normal is this? Are other companies using similar methods? And who? Paranoia ensues.

 

[Sheo_Dagana]

Gotta hand it to Blizzard. Their fans should be even more pissed off at them right now than they already are, but the audience is jumping to their defense. That's a dedicated WoW player for ya - Blizzard can do no wrong.

 

[NLS]

To be honest, The Escapist needs to fool-proof read through their articles. Because the majority will read this as "Blizzard attaches all your account info that can be used by hackers in your screenshots" even if you've written "no passwords are attached, only server IP". The title is misleading, and the wording has obviously convinced enough people here that there's reason to worry when there's really not. You know that's gonna happen, so why not try to cater to the crowd that takes the title as proof, and actually write it in a way so that it is 100% clear that it is not a case to worry about.

 

[Erana]

Apparently, people are already working on decoders, and it is verified to not be JPEG compression. And while hackers would prolly just go datamining, it does pose the potential issue of linking a character with their general blizzard account, which could accomidate harassment between users.
And the most damning thing about this is that use of such technology was never spoken of in the Terms of Service nor the User Agreement. And that just doesn't feel right to me.

There's really no skin off my back since I'm abstaining from MMO grameplay in general, but its still very interesting.

 

[Zydrate]

I've always thrown my screenshots in some kind of program for cropping purposes and whatnot.
Pretty sure I'm okay.

I've always hated people's raw screenshots. Most are either too big, or hilariously shrunk from their imagehost. Either way it's inconvenient.
If I want to show an armor set, I crop a picture so it's just me. With my armor. Not a 4000x4000 screenshot of everything else.

 

[oldtaku]

guys, this is total crap even if it's true which frankly i doubt

until someone comes up with a program that can read jpeg artifacts and get out data that isn't nonsense it's pure tinfoil hat

...

Go to the original article. He wrote a program that reads the jpeg artifacts and spits out your account ID, the realm IP, and a timestamp /before/ they released this info. You can run it yourself.

 

[oldtaku]

One thing you can do with this info is tie alts together.

Two chars with same account ID -> alts. And if you know anything about one of the alts...

 

[Folji]

guys, this is total crap even if it's true which frankly i doubt

Whatever reasons they had for doing it the way they did, it's still undeniable that the watermarks are there. I haven't played the game in some time, but I found some old screenshots and sharpened them up to see if anything would happen.

Spoiler

Those vertical strips in the white fields look like encrypted data to me.

 

[Denamic]

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

 

[Aeshi]

In fact the only info that could be pulled from a screenshot is the time it was taken, the IP address of server the character in question was connected to, and whether two different characters are on the same account[footnote]and even this would require 'datamining' one screenshot taken with each character, in which case you could probably guess they're on the same account by just looking at who's posting them.[/footnote].

So in other words, information that could just as easily (and much more legitimately) be taken off the Battle-net Armory. A method that has been around even longer (before the Acti-Blizz merge), can give far more information and has never been complained about ONCE.

 

[Therumancer]

To be honest, The Escapist needs to fool-proof read through their articles. Because the majority will read this as "Blizzard attaches all your account info that can be used by hackers in your screenshots" even if you've written "no passwords are attached, only server IP". The title is misleading, and the wording has obviously convinced enough people here that there's reason to worry when there's really not. You know that's gonna happen, so why not try to cater to the crowd that takes the title as proof, and actually write it in a way so that it is 100% clear that it is not a case to worry about.

Well, because it's kind of worrying that this kind of thing, even as far as it goes, is being tracked through screenshots, especially seeing as it was being done covertly. Sure, hackers might not have been able to use this to break into accounts, but there are more than a few things this can be put to use for, heck I'm not even sure I like the idea of Blizzard being able to look at a screenshot and identify who is in it, and where they are.

That said, it DOES raise some interesting questions, if this story is true it would mean Blizzard was full of bunk in not accepting screenshots showing people cheating and exploiting in PVP and such as proof due to not being able to identify the people involved for sure, since they obviously could.

 

[Evil Smurf]

good think I don't play WOW

 

[evilneko]

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.