It’s been discovered that World of Warcraft embeds personal data in any screenshot you take – but just how big a deal is this?
Hobbyists discovered that WoW embeds personal data into most screenshots yesterday. Initially, there was some concern that the data could be directly used to hack an account – however, it has since been confirmed that the data is limited to an account identifier (not your BattleTag or email address), the IP of the realm you’re connecting to, and a timestamp.
Nonetheless, this is at best unexpected and at worst unsettling news, and there has been a lot of discussion of the implications:
- I’d heartily recommend reading the Hacker News discussion of the topic, including discussion of non-obvious potential exploits and the technical details
- Adam Holisky at WoW Insider claims that the information in these screenshots can absolutely not in any way harm you – “Again, though, there is no information in these watermarks that connect your screenshots to you, the person behind your keyboard, living on Dreary Lane. Only to connect your public display of cheating to your World of Warcraft account and/or private server.”
- Clockwork commented on the news minutes after it came out, calling it “somewhat alarming” – “I see why they did it; most likely it is meant as a protection of NDA’s by allowing them to figure out who posted the picture (especially of unreleased content) so they can take proper action…but this opens up another can of worms.”
- Kaozz is very uncomfortable about both the tracking and the thinking behind its implementation – “It is pretty creepy to even think that a company would even want to ‘track’ customers through screenshots, or even to really dig up reasons why.”
- Miri argues that you’re already sharing far more information than you immediately realise – “There’s a lot of information already available thanks to search engines, standard “friendly” commentary, and ourselves. Protect yourself by limiting what you say and share. You can help control the amount of information that the world can use against you.”
- Typhoon Andrew writes a balanced post looking at the practical details as well as his personal reaction – “The fact it contains an account ID and not an internal unknown reference ID linked to the account ID makes me think that this was developed assuming security through obscurity.”
- And Rades satirises the more extreme reactions to the news – “Maybe it’s time travel,” he gasped, stopping abruptly in his frantic pacing. “Time travel! That has to be it! The Bronze Dragonflight! Maybe he’s a dragon!?””
Personally, I’m not up in arms about this, but it’s a little concerning. There aren’t any trivially-obvious direct account security risks, but the extent to which this information could be used for datamining is a little worrying.
More concerning yet is the possibility of forgery. I can’t imagine it’ll be very long before there’s a tool available on the blacknets to erase and replace this steganographic information, meaning that if Blizzard don’t rapidly change their approach, it’d be possible to “frame” other players for private server usage, RMT, or other anti-TOS offences.
What do you think? Storm in a teacup, or a genuine outrage?