Mods and Security
 

Our guild has had 2 different accounts hacked recently, and it has lead me to start getting paranoid. (One of my friends had his account hacked despite strong software [AVG], no sharing of pws or information with anyone else, and no use of the game on computers not his own).

My question boils down to this.

Are there security issues with mods? I have been assuming the most common mods such as Recount, Omen, Pitbull, Xperl, etc are safe.

But people are constantly developing new and interesting mods. I just want to know
1) do they as a rule pose a security risk
2) are there ways to minimize that risk when trying out mods?

Download your addons from trusted websites. wowace, wowinterface and curse.
There are no security problems with mods, you can't get a trojan without running some executable, within the addon, and if you downloaded it from a known source, the chances of having a harmful executable are about 0.01%
AVG is possibly one of the worst anti virus products out there, I recommend eset's nod32

To conclude: The chances are your friends somehow got a virus/trojan during daily computer use, and had nothing to do with downloading mods, that, or they shared their password with other users. You might trust other people, NEVER trust their pcs.

If you use the same password for your WoW account as you use for other accounts, you may end up hacked. I highly recommend having your wow password different than your forum password different than your bank password. 3 different passwords may seem complicated but usually just adding extra characters for added security will be sufficient:
forum password: wowlife
WoW passward: wow4lif2e
Bank password: wow4li20f2e

Make sure to do something trickier than just combining 2 short words with a number in the middle of the words as most password crackers will break that quickly.

The most likely cause in recent months of password hacking though is the adobe flash vulnerbility. If they arent running the latest version, they probably got hacked that way.

1) Mods are just text files (and the occasional image/sound file). They're not system-executable code. Hence, they can't be "run" by anything except WoW's lua engine. WoW's lua engine is restricted to only manipulating certain functions and values in-game, none of which have to do with the authentication process (and addons aren't loaded until well after you've logged into the server). Thus, addons themselves are perfectly safe - the worst thing they could do is make your UI break until you unload the addon, which is nothing permanent.

2) A typical mod installation generally involves downloading a zip'd folder with the addon's files in it. Zip files can contain malicious code, but unless it's a self-extracting zip file (.exe or other executable extension) there's no way for this code to be executed without you manually triggering it. So quite simply, don't trust any addon that says it requires you to manually run some file - the ONLY thing you should have to do to install an addon is copy/extract the files out of the zip archive into your WoW\Interface\Addons folder. Everything else should be done inside of WoW.

3) Don't use the same login for addon websites and WoW. If you do so, you're essentially making your security for all of them equal to the weakest link among them, which probably isn't the WoW auth servers.

I would imagine that most of the hacks from mods come from downloading it via IE and getting a trojan that way, or logging onto the WoW Forums/Account Admin on a compromised computer.

As said above, the mods are all text files which are interpreted by WoW using the LUA language in a sandbox.