PSA: WeakAuras scamming is a thing again

General Discussion
1 2 3 12 Next
EDIT: Someone posted the link to my thread on the wow reddit aswell and it's made the front page. I didn't think to do this myself, or I would have - but it's good to know that this is being more widely known - there's even a sticky on reddit about this aswell. I appreciate everyones support, and hopefully this also helps get blizzards attention on this matter, if there is indeed something on blizzards end that needs to be done to stop this thing from happening at all, in any add-on.

EDIT2: The author of the add-on is now aware of this exploit, and I believe is trying to figure out how to fix this, but it's not as easy as it seems. I believe he has the scripts people are using, so hopefully he can find a solution. Let's continue to raise awareness until this is fixed, and I will let everyone know in this thread if I hear anymore news.

EDIT3: I've received some corrections to parts of my post, which I have edited in. I am open to constructive feedback, and if you have something you think should be changed, please say so.

EDIT4: WeakAuras has just recently been updated, with the description that some trade functions have been blocked. However, this doesn't mean that another way around this can't be found, so please be aware of this, and still be careful who you're importing scripts from. Ornyx responded on this thread as I'm sure you can all see, and I imagine he will keep us updated on the status of what blizzard is doing about this.

Well, the thread that was on front page last night isn't there now, so I want to get word out to as many as people as possible. Scamming with WeakAuras is a scam once again, and if you don't know how it works, it's not as difficult as you might think.

WeakAuras is an add-on that allows users to write and save their own custom scripts when they create what is called an Aura - these scripts will execute the commands they're given (if the blizzard API allows it to) when that Aura loads, or when it runs. The add-on also allows users to share their Auras with each other, by linking the Aura - like you would an item in-game, the code is condensed into this link, and when you click on it, you can import it. This add-on is widely used for raiding. Currently, what the blizzard API allows is allowing malicious players to scam people - they will link you an Aura they've created in-game - you're not downloading anything from any external site. This Aura, if loaded by you - will force you to trade the scammer all of your gold if a trade is initiated, regardless whether it is you or the scammer who initiates the trade. You won't see a trade screen. You won't get to click a button to confirm it. All you will hear is the sound of coins, and your gold will be gone.

While you are required to run the Aura yourself to begin with, it is very easy for the scammer to trick you into doing so, for what you may believe to be a good reason. As I don't use WeakAuras, I'm unsure if you have to choose to load it aswell after importing it, but the author of WeakAuras has said on reddit, that some code will execute even if you choose not to run the script.

Don't trust an Aura from ANYONE that you do not trust explicitly - even if it's some guy in trade chat who just wants someone to help him with his WeakAuras - that's a very common way to scam people. I want to get word out to as many people as possible - tell your guildies - tell your friends - I don't want to see anybody get scammed by this - this is something that so many people don't even realise is possible - so the more awareness that exists for this, the better.
Thanks. Didn't know that Weakauras could automate trades...thought that it was just to add UI components.
01/17/2016 12:04 PMPosted by Localpanda
Thanks. Didn't know that Weakauras could automate trades...thought that it was just to add UI components.


Scary stuff. I don't think it should be able to - I hope blizzard changes the API in a way, so that no add-on ever has the power to do this. Add-ons might not be officially supported, but it is a big part of many players games - and something they trust can't achieve things like this scam can.
01/17/2016 12:04 PMPosted by Localpanda
Thanks. Didn't know that Weakauras could automate trades...thought that it was just to add UI components.
No, they can. A GM or raid leader from a trusted guild linking WeakAuras utilized for raid is probably ok, but don't import WAs from random people.

Though you can't import WeakAuras if the sender isn't on the same server. The chance of this happening is very slim if you don't go crazy taking them off shady websites. ^^
01/17/2016 12:02 PMPosted by Noobyrogue
Well, the thread that was on front page last night isn't there now, so I want to get word out to as many as people as possible. Scamming with WeakAuras is a scam once again, and if you don't know how it works, it's not as difficult as you might think.

WeakAuras is an add-on that can execute certain game that the API allows them to, and is widely used for raiding. Currently, that code is actually allowing malicious players to scam people - they will link you a WeakAuras script in-game - you're not downloading anything from any external site. This script will force you to trade the scammer all of your gold if a trade is initiated, regardless whether it is you or the scammer who initiates the trade. You won't see a trade screen. You won't get to click a button to confirm it. All you will hear is the sound of coins, and your gold will be gone.

Don't trust a WeakAuras script from ANYONE that you do not trust explicitly - even if it's some guy in trade chat who just wants someone to help him with his WeakAuras - that's a very common way to scam people. I want to get word out to as many people as possible - tell your guildies - tell your friends - I don't want to see anybody get scammed by this - this is something that so many people don't even realise is possible - so the more awareness that exists for this, the better.
I have a better idea don't use addons. only noobs cant do stuff without addons
01/17/2016 12:14 PMPosted by Zèldâ
I have a better idea don't use addons. only noobs cant do stuff without addons
Thank you for your insight
01/17/2016 12:18 PMPosted by Gabbie
01/17/2016 12:14 PMPosted by Zèldâ
I have a better idea don't use addons. only noobs cant do stuff without addons
Thank you for your insight

gabbie what happened to your face?
01/17/2016 12:18 PMPosted by Gabbie
01/17/2016 12:14 PMPosted by Zèldâ
I have a better idea don't use addons. only noobs cant do stuff without addons
Thank you for your insight


Yes, and from someone who isn't even as progressed as I am. Very insightful indeed.
01/17/2016 12:14 PMPosted by Zèldâ
I have a better idea don't use addons. only noobs cant do stuff without addons


I would love it if the default WoW UI wasn't just awful in certain areas, but it is.
And people call me crazy for not trusting add-ons.
01/17/2016 12:20 PMPosted by Wolfar
01/17/2016 12:18 PMPosted by Gabbie
...Thank you for your insight


Yes, and from someone who isn't even as progressed as I am. Very insightful indeed.
pft ima filthy casual what can I say im surprised I have this many achievments
01/17/2016 12:20 PMPosted by Phlynch
And people call me crazy for not trusting add-ons.


Just to be clear. The add-on itself is safe. It's the scripts people are creating for the add-on, that they then link to you in game like they would an item, that is the part where you get scammed. As long as you do not take a script from someone you do not trust, you will be 100% safe.
Make your own weak auras.

Problem solved.
01/17/2016 12:19 PMPosted by Exorrt
01/17/2016 12:18 PMPosted by Gabbie
...Thank you for your insight

gabbie what happened to your face?
That's rude :(
01/17/2016 12:20 PMPosted by Phlynch
And people call me crazy for not trusting add-ons.


Technically, the real issue is Blizzard's API allowing this to be possible.
01/17/2016 12:14 PMPosted by Zèldâ
I have a better idea don't use addons. only noobs cant do stuff without addons


You can't do anything without Link saving your rear soooooooooooooooooooooooooooooooooooooooooo
01/17/2016 12:23 PMPosted by Gabbie
01/17/2016 12:19 PMPosted by Exorrt
...
gabbie what happened to your face?
That's rude :(

sorry I meant no offense to your ugly transmog
01/17/2016 12:22 PMPosted by Noobyrogue
Just to be clear. The add-on itself is safe. It's the scripts people are creating for the add-on, that they then link to you in game like they would an item, that is the part where you get scammed. As long as you do not take a script from someone you do not trust, you will be 100% safe.

And the fact that that's possible means the Add-on is not safe.

If I just use the default client, their is nothing anyone can do to get my money besides offering me a good and/or service.
Ugh, well I always thought using others' scripts was a bad idea because I had less control, and now this.

Went in here feeling irritated by the game, went out just plain disappointed.

When they add trinkets like Prophecy of Fear into the game, or Unerring Vision of Lei-Shen, types of items that have far too much benefit for absolute hell in terms of its playstyle, they essentially make WeakAuras, WeakAuras2, or whatever it may be called absolutely mandatory for these scenarios.

And now this.

Your heads up is very much appreciated, and I'll add this disclaimer to any new player I give advice to. Glad I've gotten comfortable using this addon and its previous over the course of maybe 3 years now, and I highly suggest anyone to consider making their own auras as well.
Thanks for the warning. I've never really used WeakAuras for anything more than to pop flashy pictures in my face whenever I get a damage boosting proc. Had no idea the addon could be used in this way.

Join the Conversation

Return to Forum