Confirmed Naming vulnerability exploit with game breaking potential

Finraziell-wyrmrest-accord · May 18, 2023, 12:49am

More of an unlikely exploit/vulnerability bug than anything, but does have game breaking potential.

The current name release policy of wow has changed from being released on character inactivity after 2 expansions to released on battle.net account activity after 2 expansions.

This means anyone can make a free wow account, use all 60 character slots of 1 wow account to take up names or variations and those wouldn’t unlock until minimum 4 years, potentially indefinitely.

However, even if they delete wow, as long as they use that battle.net account to play games even once within 2 wow expansions aka within those 4 years, like Hearthstone, or Heroes of the Storm (free games), or even play CoD, as long as they play from that battle.net account, that 4 years minimum on the names releasing becomes indefinitely.

Eventually, without changing the policy again to release names based on inactive characters or WoW account, or without adding last names, someone(s) could (with enough time on their hands) remove the ability for anyone to create any new characters (minimum 4 years or indefinitely) by depleting the entire remaining possible name and variant choices just taking names and words from dictionaries, 60 characters, 1 account after the other, 8 accounts per bnet account max, 480 names removed at a time, as many times as they wanted.

While not currently game breaking, and more on the “unlikely things to happen” spectrum, it does highlight the flaws in that the newest 2021 policy change regarding how the release of character names based on battle.net account activity instead of WoW or character activity is inadequate and needs revision.

EDIT
to reflect 60 characters max not 50 and clarification from This thread

Nobully-blackrock · May 18, 2023, 3:14am

i just looked at the updated policy, and it does seem pretty bizarre.

so bizarre, that i’m wondering if it’s actually correct, or if whoever updated the article has managed to confuse the term “battlenet account” with “license”.

(edit) just asked in CS forum for clarity.

Zahne-arthas · May 18, 2023, 3:24am

That’s a LOT of characters, accounts, and motivation needed to pull that off. The time alone to do it, even with botting, would be staggering because they would have to do it for every server.

Can it be done? Yes. Would there be someone out there with the willingness to do it? Yes.

Could they do it before the heat death of the universe? Probably not.

Pawgwalker-dalaran · May 18, 2023, 5:40am

Pretty sure the two expansion rule implies that you have at least one month of active game time applied to the account at some point during that time. So no, a trial account isn’t going to permalock names. Also, I imagine they will have other rules under the hood to combat this behaviour.

Nobully-blackrock · May 18, 2023, 8:53am

Just got some answers in CS.

The folks there are pretty clued in on policy, and it looks like a blue flagged the answer as being a “solution”.

It is indeed based on the entire battlenet account, and appears to have changed some time in 2021.

no.

it will.

Finraziell-wyrmrest-accord · May 18, 2023, 2:41pm

Thanks for confirming.
A strange exploitable decision to change it to battle.net account.
I tried googling it a bit but could only find turtle-wow, a private wow server where they say they release inactive names based on level and inactivity of the characters on theirs. It actually made a lot of sense.

For reference, these are the sensible rules of a private WoW server:

Hense, we’re introducing the following change — starting the next server update, and every week further ahead, we will free the names of the characters that meet one of the following criteria:

Below level 10 and haven’t logged in for 6 months.

Below level 20 and haven’t logged in for 12 months.

Below level 40 and haven’t logged in for 24 months.

The characters will not be deleted, and will receive their ID number instead of the name. If you ever want to come back to playing it after such a long break, you’ll have to choose a new name on your next login.

Additionally:

The names from banned accounts will not be released, instead we automatically put them in the black list. Later on we’ll do a manual review of this roster to set free the names that are not inappropriate.

All names of characters from Gurubashi WoW and Hyjal Project merges that never logged in, regardless of their level, will be released.

also

They do not. Would require manual review as confirmed by a GM ticket I put in.

Nobully-blackrock · May 18, 2023, 3:24pm

i’m glad i don’t play on any pirate servers.

i don’t like the idea of losing a name after 6 months.

Finraziell-wyrmrest-accord · May 18, 2023, 3:25pm

Yeah, I imagine their turnover rate is players rarely ever come back so for them it would make sense.
Having it level bound is a good idea because if someone comes in plays for an hour and then never returns, well now that name will become freed up.

But it’s the idea that they go through and release inactive names anywhere from 6 months to 2 years rather than 4 years, all based on character activity, seems very proactive, and what the live game is lacking.

Pawgwalker-dalaran · May 18, 2023, 3:32pm

Can you link it?

Nobully-blackrock · May 18, 2023, 3:32pm

Pawgwalker-dalaran · May 18, 2023, 3:35pm

Yeah there’s no proof or confirmation from a blue or anything in that thread…

Nobully-blackrock · May 18, 2023, 3:39pm

it was a blue who marked the original answer as “solution”.

Pawgwalker-dalaran · May 18, 2023, 3:40pm

No, that’s just the automated system because a person or two flagged it as a solution (which it’s no longer flagged as one).

Nobully-blackrock · May 18, 2023, 3:42pm

how does a player do that?

every time my answers have been flagged as a solution, it’s been done by Vrak or Orlyia.

yeah it is

Pawgwalker-dalaran · May 18, 2023, 3:47pm

No, it is not…

https://imgur.com/a/4d0ZgPe

Nobully-blackrock · May 18, 2023, 3:49pm

then we’re seeing different things.

because i see this:

Pawgwalker-dalaran · May 18, 2023, 3:51pm

It’s not there…

https://imgur.com/a/L1rcuz5

Nobully-blackrock · May 18, 2023, 3:52pm

omg.

epic facepalm.

we’re seeing different things, because … i started the thread.

you’re right.
there is no blue confirmation…
i couldn’t figure out why it wasn’t marked as “resolved” from the main menu
regardless, posters there are pretty well familiar with policies.
if someone said something which was incorrect, someone would be along VERY quickly to correct them

Pawgwalker-dalaran · May 18, 2023, 3:54pm

Yeah you checked it as the solution and probably forgot. No biggie, but either way, I’m pretty sure Blizzard isn’t going to speak out about it because they don’t want people knowing the exact ins and outs of the system, to prevent trolls exploiting it. But if I had to guess, it’s probably along the lines of what I stated earlier.

Nobully-blackrock · May 18, 2023, 4:01pm

nah it’s asking me to mark it as the solution if it answers the question/solves the problem.
since the CS forum is moving very slowly, and vrak was quoted, he might take a look when he gets in.

blizzard wouldn’t have a problem speaking about it, it’s already in the support article… i just figured it was worth getting clarification, because some support articles have been misleading due to awkward wording.