I've received several emails from users who are concerned about the safety of the addons and have inquiries regarding what Curse does to ensure the utmost level of security in addons that we host. I recently sat down with ckknight, Lead Developer of CurseForge and WowAce, to talk about the process we go through in securing addons before they become available for you to download.

Here's a look at the addon approval process here on Curse:

1. Addon Developers use CurseForge or WoWAce to upload zip files that eventually end up on Curse.com.

2. Each zip file is run through a MULTITUDE of virus and trojan scanners.

3. Executable files are forbidden except in very rare cases and we acquire and review the source code in these special cases.

4. Every zip file, after being automatically scanned, is reviewed by CurseForge/WoWAce staff.

5. The Curse Client has never, and will never, run any executable code in the files it retrieves.

As an added note on security, please NEVER download the Client from any other source than right here at: www.curse.com/client

If you're ever interested in becoming a moderator and helping us check the addons we receive please get an irc client, log on to irc.freenode.net, come to #curseforge and talk to ckknight.

Helpful links:

Curse Client Support (Windows)
Curse Client Support (Mac)

Thank you for taking the time to read this and supporting our effort to provide 100% safe addons to the gaming community!

I happen to know that it is possible for an addon to be a security risk just by being loaded in WoW, allowing other people to maliciously control some aspects of your gameplay and have access to any ingame data on your account (whispers, guild chat, the variables of other mods, but not your password or user name). I wont go into detail on how this is done (it should be obvious why), but I was wondering if the moderators are aware of how this can be done, and what to look for in an addon.

42kbnd has a valid point, where any executed xml could store username and password credentials.  I was informed by one of my guild members that he had recently downloaded omen threat meter which he claimed comprimised this data.  So are the moderators scanning for such api calls?

Thanks

I think you are talking about something different than I am, what I am refering to would allow someone else access to your account through the wow servers while you are logged in, but would NOT compromise your account info. However, while I don't really understand it, what you're talking about sounds like an issue too, and is therefore also something that should probably be scanned for.

Hurray for a safe Curse Client!

I've had no problem from Curse supplied addons but I did follow a Googled link to "wow mods" once that got me a trojan for my troubles.

Now I only take my addons from here (subscriber) or Interface, or sometimes directly from authors, as with Auctioneer.

Sometimes the latest version is out there before it catches up here, that's all

Also there's that spammer on the addons comments pages here regarding "automatic fishing bot".

Definitely DO NOT go to that URL.

You will be just asking for trouble.

Doesn't take a PC Security expert to figure that one out.  ;^)

I personally did just get my account hacked this past thursday.  And have had a hell of a time getting WOW to get my items or any response back.  It was only after I downloaded a couple of new addons that this happened.  so it does happen.

Just because you downloaded AddOns and got hacked doesn't mean it was the AddOn...

I am not sure if it happened cause of AddOn's from here or what. However, I have been hacked twice, both times after I downloaded some AddOn's from this site and affiliate sites. I got a quick response the first time, which is different for sasyeyez time, but this time my account not only got hacked, but got merged with a battle.net account. Still waiting for a response.... :(

I have question, does any of your addons may cause ban/suspension/other by Blizz Team?
I never found any virus in Your addons and im happy user of curse:) however i'd like to know if they are legal.
I know Blizz doesn't allow any third party programs but i hope they are talking about hacking programs like pir*x or Dea**soft, not about curse.com addons, aren't they?:)
Thank you for any information and have nice time.:)

@arviladelia Addons will pretty much never get you banned.  There are very very few addons that are illegal, and these are pretty obvious and wouldn't be allowed on the site anyway.  Examples of those would be things like bots (not really possible without an outside program running in addition anyway), and faction translators.

From a technical perspective it's pretty much impossible for addons to compromise your account.  There are no hooks for addons in WoW where it's possible to get your username or password.  As far as malicious addons, it'd be possible for me to go write an addon that'd mail your gold to someone else or the like but those addons would be extremely short lived, and really I've heard of so few malicious addons.  They really just don't get made very often. 

that's exactly what i thought:) thank you very much

One of my friends(I will try and get him to post here with the e-mail from Blizz) was recently hacked 2x, after talking to blizzard they told him he had a keylogger fro man update of Questhelper. I have had no problems so far and have been using curse since day 1.

  Quote:

Originally Posted by sconver

One of my friends(I will try and get him to post here with the e-mail from Blizz) was recently hacked 2x, after talking to blizzard they told him he had a keylogger fro man update of Questhelper. I have had no problems so far and have been using curse since day 1.

Your friend is looking for sympathy in the wrong place. He did not get hacked from QuestHelper, or any other addon. Addons are loaded after you are finished with the login screen. The login server and the game world/realm server are two different servers at Blizzard, and do not pass information. To be blunt, your friend lied to you in order to look better; well, now your friend looks stupid.

  Quote:

Originally Posted by Kaelten

@arviladelia Addons will pretty much never get you banned.  There are very very few addons that are illegal, and these are pretty obvious and wouldn't be allowed on the site anyway.  Examples of those would be things like bots (not really possible without an outside program running in addition anyway), and faction translators.

From a technical perspective it's pretty much impossible for addons to compromise your account.  There are no hooks for addons in WoW where it's possible to get your username or password.  As far as malicious addons, it'd be possible for me to go write an addon that'd mail your gold to someone else or the like but those addons would be extremely short lived, and really I've heard of so few malicious addons.  They really just don't get made very often. 

Be smart, get the authenticator from Blizzard. No more getting hacked ever.

http://www.blizzard.com/store/details.xml?id=1100000622

Currently API will only access data calls for users, you cannot control a character remotely unless its macro'ed into the addon.  IE  /assist [focus]  /cast Healing Wave [focus], as with multi boxers.

With guild tax, i access a characters data from there economy to get current and all time gold, which is public anyway if you do an Achievement Comparison with them.  So some level of access is necessary for enhanced game play, if you do not wish for others to see your data, dont install adons and if some one is standing next to you ingame "RUN" or they could inspect you and get your data. LOL.

But seriously  Curse is safe and i would say most if not all the addons here are safe for you and your data.

  Quote:

Originally Posted by arviladelia

I have question, does any of your addons may cause ban/suspension/other by Blizz Team?
I never found any virus in Your addons and im happy user of curse:) however i'd like to know if they are legal.
I know Blizz doesn't allow any third party programs but i hope they are talking about hacking programs like pir*x or Dea**soft, not about curse.com addons, aren't they?:)
Thank you for any information and have nice time.:)

LOL @ TOS, a story for ya, i wrote an addon a number of years ago to host a guild lottery for gold and bank items.  I have submitted this addon to Blizzard & Curse on about 30+ occasions each time with the respons of "Gambling in game aside from randomly rolling with in game mecanics is against TOS, and the addon gets rejected.  BLAH.  so as per tos Curse is a stickler which is probally best for all of us.  I know that i would not like to install and addon and get banned for a day or a perma ban because of an addon that i down loaded from curse.

Curse is safe.

The authenticator is a nice tool or security, but keep in mind if someone one sets up a PHISHING site, ie, a site that looks like a blizzard or world of warcraft or now Battle.net you may be inclined to log in to that site and then comprimise your security.

Curse, Blizzard employees will never ask for your password, ingame or by email.  and allways take caution when visiting websites, if it asks for your login look for

1. *.blizzard.com
2. *.worldofwarcraft.com
3. *.battle.net
4. *.curse.com

ect.  Keep your eyes peeled also, i recently recieved an email from blizztard.com  which ona glance looked like an official Blizzard email asking me to loginto my account @ the website link provided to confirm my account.