Greg Hoglund took a closer look at the popular online roleplaying game World of Warfact analyzing the traffic that the game exchanged with Blizzard servers over the Internet. According to Greg a software know as the "warden client" is executed every 15 seconds on all World of Warcraft clients that are currently playing the game. Here is what Greg found out about it:
- The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'World of Warcraft' executable process space. No big deal.
- The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not related to the WoW process, but any program running on your computer.
- The Warden program sniffs down the email addresses of people you are communicating with on MSN, the URL of several websites that you have open at the time, and the names of all running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if you have Microsoft Excel or Quickbooks open with personal finance information at the time.Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes'
- Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes.
Gregs conclusion is that the warden client can be declared to belong to the category of spyware. The EFF (Electronic Frontier Foundation) calls it a massive invasion of privacy.
According to the EFF Blizzard has come up with three responses:
- Warden doesn’t collect personal information, so what’s the problem?
The thing is, warden does at least scan personal information and process these findings. In other words, a privacy invasion takes place even though Blizzard claims that no data is saved.
- Everyone’s doing it. Blizzard points out that many companies use hack-scanning programs
That's no excuse, is it ?
- Read the EULA. Blizzard advises gamers of its intent to invade in its terms of service. “People should read contracts, says Blizzard rep John Lagrave.
Well, I don't know a lot of gamers who actually read the EULA of a game and Blizzard surely knows this.
Hoglund released a tool called The Governor that watches the activities of World of Warcraft, and clearly reports which data is being read from other processes. You can download it at Greg Hoglunds site.
Update: The site appears to no longer be available.