Apparently there are some nasty people exploiting the incredibly powerful, useful and of course popular addon WeakAuras to steal Gold from people.

I heard about the exploit first on Reddit where it unfortunately didn’t get a lot of attention with only 8 upvotes.

Weakauras is a very powerful addon that can create icons, textures and bars to track cooldowns, boss abilities and much, much more. Part of that power is the ability to run custom .lua code within your auras. You can then easily link the auras you created to other people who also use the addons or export your aura so you can easily post it on forums and websites which other people can in turn import.

Here’s a video by the fantastic Youtuber Touchymcfeel that explains what is going on in Detail.

In touchymcfeel’s example he uses only a few lines of code to:

  • calculate how much gold you have and substract 30copper that are needed to send mail
  • insert a character name in the mail adress field
  • insert a message in the mail subject
  • optionally insert a message into the mail body
  • attach all of your gold (minus the 30 copper) to the mail
  • send the mail

The aura will trigger automatically as soon as you open a mailbox.

To protect yourself please only import weakauras from people you absolutely trust. Don’t click on any Weakauras from random people in Tradechat or people that randomly whisper you.

Scary stuff.

UPDATE:

Apparently WeakAuras2 (a fork of the original WeakAuras) has been patched to make sending Mail and putting Gold into Trades impossible via Auras. This should make using WeakAuras a safer. It’s very easy to upgrade from WA to WA2 – just follow the instructions on Curse. You should probably still be careful about where you get your Auras from.

Thanks to @Wellwow for letting me know about the Update.