World of Warcraft Screenshots Contain Your Account Info

[NLS]

To be honest, The Escapist needs to fool-proof read through their articles. Because the majority will read this as "Blizzard attaches all your account info that can be used by hackers in your screenshots" even if you've written "no passwords are attached, only server IP". The title is misleading, and the wording has obviously convinced enough people here that there's reason to worry when there's really not. You know that's gonna happen, so why not try to cater to the crowd that takes the title as proof, and actually write it in a way so that it is 100% clear that it is not a case to worry about.

Well, because it's kind of worrying that this kind of thing, even as far as it goes, is being tracked through screenshots, especially seeing as it was being done covertly. Sure, hackers might not have been able to use this to break into accounts, but there are more than a few things this can be put to use for, heck I'm not even sure I like the idea of Blizzard being able to look at a screenshot and identify who is in it, and where they are.

That said, it DOES raise some interesting questions, if this story is true it would mean Blizzard was full of bunk in not accepting screenshots showing people cheating and exploiting in PVP and such as proof due to not being able to identify the people involved for sure, since they obviously could.

I guess it wouldn't be of much use to submit screenshots of people cheating and exploiting if the only ID they send is your own. However, if they know of a safe and sure way that it's not possible to tamper with these watermarks intact, it could prove as a way to make sure screenshots submitted of cheaters are in fact authentic, and not photoshopped. If the timestamp, server-ip and player-id isn't forgeable into any screenshot, then Blizzard could at least know that the screenshot taken is somewhat real and the cheating actions depicted can be traced. I doubt however that they would let you just take a snapshot of someone and have their IDs tagged and ready for banning.
With some work, it should be possible to use this to screenshot cheaters and have them banned, but it would take some effort.

 

[Nurb]

Aren't MMOs the games to have the least issue with piracy?

 

[The Rogue Wolf]

Aren't MMOs the games to have the least issue with piracy?

With direct piracy, there's probably some truth in that. But this is an effort to find and eliminate private servers, a problem pretty much unique to the MMO.

 

[Ferisar]

Gotta hand it to Blizzard. Their fans should be even more pissed off at them right now than they already are, but the audience is jumping to their defense. That's a dedicated WoW player for ya - Blizzard can do no wrong.

Illidonkey
Mal'Ganis
loltimestamp

Go at it, champ.

Because I totally have never given this information to people who have had a conversation with me and WoW came up at one point or another.

 

[Phoenix8541]

True or False, the plug was good enough to get me to read the article.

 

[Twilight_guy]

Oh no, not my account name. If the pirates got that they could... do absolutely nothing since they don't have a password and blizzard has authenticators. Hell, I've seen games that put similar information in plain text at the top of screenshots to identify players. Yeah, this is kind of shady but its not like they're putting your credit card information in screenshots. I gotta add paranoid to my big list of problems gamers have. (Willing to give out credit card information to Blizzard, but worried when they include mostly innocuous data in screenshots.)

 

[bells]

While actual account passwords are not revealed, it remains possible that hackers could somehow use this data to harass or compromise your account, especially now that this technique is in the open

Somehow... just... just somehow.

I don't know when, i don't know why, i don't know how... but Teh Hackurz man... teh hackurz! You should be scare shitless of this big brother tinfoil hat conspiracy man!! They got you by the Baaaaaaaaaaaaallz man!!

It... it's like... a technique dude, a special bloodline technique that Hackers have! They can minority report your shit and sell your organs online on craigslist for "Botswanian" warlords and stuff... and then.. and then... like, one day... you hear like... a knock on the door and it's like... this fucking huge warlord... from Botswana and he is all like up in your shit going "Hey man i came for your organz gimme your organz!" and you are like "Oh fuck nnoooooo" and then you find out that it was the hackers from world of warcraft dude!!

It's like... totally, yes!

 

[Denamic]

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.

You think they'll break the encryption of tiny strings of code in millions of screenshots just to find a matching ID, just to... phish someone? You know that phishing is when they send you emails that redirects you to a fake log-in or password reset page and such, right? The thought that anyone would ever go through such an ordeal just for a slimmer of a chance to rip you off, when there's thousands of dumbasses who fall for phishing without any special tricks, is just absurd. It's more likely that someone will threaten you to give them your account information at gunpoint. Which I hope I don't have to tell you is not very likely at all.

And again, it's anonymous. You may be able to determine whose alt is whose, but there's no need to put effort into breaking the encryption of thousands of files to do that when there's countless people on the forums that readily admit who their alts are.

This information is harmless. You've already agreed to give Blizzard anonymous information before you play the game. The only slight Blizzard have committed is by omitting that some of it is embedded in screenshots, even if that information isn't actually personal.

 

[LiftYourSkinnyFists]

Shady practice is shady. Good thing I never shared any of my old screenshots.

steganography has been around a while, there's not much to it and I highly doubt anyone is going to have the ability to steal an account with the data contained "inside" each screenshot, let alone put the effort in to decrypt it.

 

[evilneko]

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.

You think they'll break the encryption of tiny strings of code in millions of screenshots just to find a matching ID, just to... phish someone? You know that phishing is when they send you emails that redirects you to a fake log-in or password reset page and such, right? The thought that anyone would ever go through such an ordeal just for a slimmer of a chance to rip you off, when there's thousands of dumbasses who fall for phishing without any special tricks, is just absurd. It's more likely that someone will threaten you to give them your account information at gunpoint. Which I hope I don't have to tell you is not very likely at all.

And again, it's anonymous. You may be able to determine whose alt is whose, but there's no need to put effort into breaking the encryption of thousands of files to do that when there's countless people on the forums that readily admit who their alts are.

This information is harmless. You've already agreed to give Blizzard anonymous information before you play the game. The only slight Blizzard have committed is by omitting that some of it is embedded in screenshots, even if that information isn't actually personal.

Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

 

[Denamic]

Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

Really.
How is an account ID, which is to say a random string of numbers without any actual consequence for people without admin access to the account database, a time stamp, and the server's IP useful?
Even if someone with malicious intents had admin access, your account ID is pretty low on the list of concerns.

 

[evilneko]

Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

Really.
How is an account ID, which is to say a random string of numbers without any actual consequence for people without admin access to the account database, a time stamp, and the server's IP useful?
Even if someone with malicious intents had admin access, your account ID is pretty low on the list of concerns.

Think like Google.

Every little bit of data fits into a larger puzzle that can build up to a pretty complete picture of your target.

And the more complete the picture, the more you can do with it.

 

[Denamic]

Yes. I know what phishing is. Fact is, this info is useful. Any information a bad guy can get on a potential mark--or even the mark's associates--is useful.

And the source code for tools to extract the hidden information is already posted, so it'd be trivial to obtain.

Really.
How is an account ID, which is to say a random string of numbers without any actual consequence for people without admin access to the account database, a time stamp, and the server's IP useful?
Even if someone with malicious intents had admin access, your account ID is pretty low on the list of concerns.

Think like Google.

Every little bit of data fits into a larger puzzle that can build up to a pretty complete picture of your target.

And the more complete the picture, the more you can do with it.

Useless information is useless information.
They cannot do anything of consequence with it. Literally the worst they can do is match up two or more screenshots as having been made from the same account. That is trivial information, on top of the fact that said screenshots had to have been posted online to begin with, and it's more than just likely that said screenshots were posted on the same account on the imagehost, so you'd know it's from the same person anyway.

It's a waste of time to even dig it up. The 'hackers' have more accounts to go through than they have time to anyway. Thousands of people fall for phishing; spending time to dig up a random string of code they can't do anything with would just be detrimental to their efforts. Which, now that I think about it, means that if they spend time digging up that shit, they're spending less time actually logging in to other people's accounts, essentially reducing 'hacking.'

We should be encouraging them to do this.

 

[MetalMagpie]

Shady practice is shady. Good thing I never shared any of my old screenshots.

Yeah. This seems borderline illegal. Is it really ok for Blizzard to be using this method? Could it open for lawsuits against them for something or another?

I dont dispute Blizzards right to try to stop pirate servers I guess, well not for this discussion, but they could inadvertently be responsible for peoples personal information leaking out.

The only "account information" they're leaking is the account number. That's it. Not even account name, just a number which is (in all likelihood) only used internally by Blizzard.

I work as a developer on a hosted software product. All of our users have an account name (which they use to log in) and an account number (which identifies them in the database). The first user on the system has account number 1 (or 1 proceeded by 15 zeros if you're being picky). The second user has account number 2. You can probably guess how it goes from there. These numbers would only be helpful to a hacker who already had unrestricted access to our database. In which case, we've got far bigger problems!

The other two pieces of information are the IP address of the server you were connected to (which will either be one of Blizzard's servers or a pirate one) and the time you took the screenshot.

The only use I can think of for the account number is that you can tell if two screenshots were taken by the same person.

 

[MetalMagpie]

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

what like this you mean ?

http://www.escapistmagazine.com/news/view/118988-Blizzards-Network-Hacked

Yep. And once you have access to the database, why pick on that one guy whose screenshot you decoded? Why not just steal from two thousand random accounts?

Unless this is part of evil scheme to allow evil hackers to target just players who put together horrible-looking armour sets...

 

[MetalMagpie]

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

It is useful to someone looking to figure out whose alt a particular character is, which could be useful in phishing.

I could also work that out by noticing that the same person posted both those screenshots on Flickr.

The image itself probably contains far more useful information for phishing (such as what cool items you may have picked up recently and what areas you've been active in) than the data hidden in it.

 

[LordLundar]

The account ID is anonymous.
It's not the account name you use to log in.
It's utterly useless to hackers, as it cannot actually be used for anything unless you already have access to the account database.

what like this you mean ?

http://www.escapistmagazine.com/news/view/118988-Blizzards-Network-Hacked

From the article:

What have been accessed, however, are the email addresses, personal security question answers, mobile authenticator information and cryptographically scrambled Battle.net passwords belonging to players who use North American servers.

Note that "internal account ID database" is not mentioned in any way, shape, or form.

Your tinfoil hat is wearing out.

 

[Tiger Sora]

Either, thank goodness I don't play WoW anymore, not that it would matter anyways I never posted screen shots of myself...... and I was going to say or meh, but instead it's and meh included.

I'm disappointed... I'm going elsewhere now.