WoW Screenshots Allegedly Include Acct Names, IP Info

By Nathan Grayson on September 12th, 2012 at 8:00 am.

And that tiny mechanized chicken is to blame for all of it.
Well, this is more than a little upsetting. A picture, our forefathers (or someone’s forefathers, anyway) said, is worth a thousand words, but I’m willing to bet they’d have upped that wager a little if their pictures contained bits of decryptable info that revealed very sensitive personal information. Reports coming out of the world of World of Warcraft, however, suggest just that, and – given that hackers tend to flock to Blizzard products like ravens to places that will soon be dooooooooomed – it’s a bit worrisome, to say the least.

After suspecting that something was up, users on the OwnedCore forums did some digging and discovered watermarks within official (read: not taken by third-party programs, ala FRAPS) screenshots that, when decrypted, reveal three key pieces of information: 1) your account name, 2) a timestamp of when the screenshot was taken, and 3) the IP address of your current realm. (Note: that’s not your IP address.) Many users – among them, PC Gamer – then went on to verify that this is, in fact, true. Apparently, this practice dates all the way back to sometime between 2008 and 2010.

That information alone, thankfully, isn’t enough to compromise your account. It could, however, certainly aid in the process. The OwnedCore thread provides an example:

“The contained information can be easily recovered and decrypted by hackers, which compromises the privacy and security of our accounts! For example, someone could use this to identify which account holds which characters and perhaps stalk and annoy its user, or help perpetrators choose their phishing victims with a more targeted approach… It can be used by hackers to link alt characters to accounts and target specific spam or scam attacks, and it can be used by Blizzard to track down private WoW servers.”

That last part, users speculate, is why Blizzard implemented the sneaky tech in the first place. Private servers, after all, have a way of going kerboomsplat when all their secrets are shouted from immaculately rendered images of mountaintops.

The forum post, meanwhile, also raises another rather pressing issue: this certainly doesn’t match well with Blizzard’s own terms of service. Admittedly, the company is allowed to cherry pick bushels of information from our machines while WoW’s running, but only under the provision that said information is “communicated back to Blizzard.” These screenshots, on the other hand, theoretically communicate information to everyone. That said, the watermark info (account name, timestamp, server IP) could be construed as under Blizzard’s jurisdiction to begin with, meaning that it could easily wave away that rule in this scenario.

I’ve contacted Blizzard for comment, but in the meantime, there’s at least a way to ensure your screenshots stop morphing into giant, neon-lit “SCAM ME” signs. High-quality screens, for whatever reason, don’t carry the watermark, so simply type the following: /console SET screenshotQuality “10″.

, , , .

69 Comments »

  1. Swabbleflange says:

    A whole lotta nothing.

    • alundra says:

      Actually, there’s a lot more to it, from the ownedcore link:

      The secret watermark which is being intentionally embedded inside WoW generated screenshots below top quality, DOES NOT CONTAIN the account password, the IP address of the user or any personal information like name/surname etc. It does contain the account ID, a timestamp and the IP address of the current realm. It can be used by hackers to link alt. characters to accounts and target specific spam or scam attacks, and it can be used by Blizzard to track down private WoW servers.

      Based on Blizzard’s ToS (http://us.blizzard.com/en-us/company/legal/wow_tou.html), Blizzard is allowed to communicate information about our hard drive, CPU, operating systems, IP addresses, running tasks, account name and current time and date. It never mentions anything though about embedding some of these data into every screenshot we capture using the WoW printscreen tool. The users assume that Blizzard will use a safe channel via battle.net, not our public screenshots that we share with the world, unaware of their secret contents. This unencrypted watermarking mechanism fails to protect our privacy, not from Activision employees (they already know everything about our computer systems), but from malicious hackers looking for something or someone to take advantage of.

      The contained information can be easily recovered and decrypted by hackers (if we did it, so can they). For example, someone could use this to identify which account holds which characters and perhaps stalk and annoy its user, or help perpetrators choose their phishing victims with a more targeted approach. They could unleash Web spider bots scanning for WoW screenshots, decode their hidden watermark data and quickly create a comprehensive database of which account has which alts in it, that they can then sell to anyone interested (information is power). Perhaps someone is already using this since the watermark has been around for at least two to four years already.

      Yeah, the blizzy lovers down there are right, how can this news be important if blizzard is already given the right to communicate information about our hard drive, CPU, operating systems, IP addresses, running tasks

      The things people do just to play a game…

      PS
      Huge Thanks to RPS for keeping this kind of shady corporate practices under the spotlight.

      • Alceste007 says:

        I agree this practice is BS. This article is important in bringing scummy business practices to light. Customers should be informed before the practice is put into play.

      • Azradesh says:

        “communicate information about our hard drive, CPU, operating systems, IP addresses, running tasks”

        1. This isn’t new, at all.
        2. Most online games and game systems have ToS that say the same or very similar. Including Valve.

      • Fr0stbeard says:

        Here’s the thing though… Blizzard isn’t actually communicating anything in these cases. They do not control what the users do with their screenshots, and it’s those users who upload the screenshots that are making the information publicly available. They don’t need to have any kind of privacy policy surrounding the watermark because they’re not storing or transmitting anything at all.

      • alundra says:

        So, EA does it and we all are ready to slash their throats, but these crooks do it and they get a free pass?? Talking about hypocrisy….

        After reading some of the replies, I can’t help but think:

        Thank You twice RPS for keeping these crooks’ shady business practices under the spotlight.

      • ScubaMonster says:

        Take screenshots with Fraps, you’re done. It would only be encoded by using printscreen with the WoW client.

  2. mondomau says:

    I don’t normally get into this sort of thing, but – please stop putting up inane non-articles like this, RPS. It’s starting to smack of Kotakuesque click-whoring and it’s upsetting.

    EDIT: I might be being a little dramatic, because I haven’t had any coffee, but I still don’t think such a relatively minor discussion piece (which is what this is, not news) should be presented in such a sensationalist fashion.

    • FataMorganaPseudonym says:

      Let me know whoever it is that is holding a gun to your head and forcing you to read articles like this. I will go and punch that person and make them stop.

      • LionsPhil says:

        I dunno, maybe it’s the sensationalist lead-in, where the “actually this is fucking nothing” is only in the body of the article?

        Or, heck, maybe some of us would rather just keep the quality of the limited set of articles which can fit on the front-page up. Every idiotic puff piece like this displaces something more interesting.

        • crinkles esq. says:

          Not sure what you mean by it being “nothing”. The title of the article says exactly what happened. If you read the linked content, you will find this has been extremely well-researched. There is no “alleged” about it; Blizzard is factually watermarking every image with your account number. It’s creepy, and if the gaming community rolls over on this, we will probably see other multiplayer-focused studios implementing this kind of user tracking.

          • Sheng-ji says:

            And as someone who has been stalked across multiple servers by a seriously creepy weirdo, who scarily enough I considered a friend in real life, until I found out he was the person responsible for driving me out of WOW, I’m fairly certain this method was used in his tracking of me. This is not non news for me.

            I don’t condem Blizzard for this, I just wish I had known.

          • Premium User Badge

            Llewyn says:

            @Sheng-ji: It’s highly unlikely that it was anything to do with this method. It seems Blizzard have been doing this since late 2008 and this is the first public report of it. Also, assuming that he’d independently identified and worked out how to decipher these watermarks, he’d have needed to see a screenshot from every single character he wanted to stalk.

          • Premium User Badge

            Klatu says:

            Shengi-ji, it is much more likely that the stalker used on of the many on-line tools which have been available for years to trace transferred/renamed characters such as – http://www.wowprogress.com/detective. Or maybe they just asked an old guild mate.

          • Sheng-ji says:

            Thanks guys, he most likely didn’t use that method then. Still good to know that this information is published along with your screenshots though, just in case.

      • mondomau says:

        Sarcasm! The weapon of the witless. But you’re right, no one forced me to read it and there are masses of insightful, genuinely interesting posts on RPS – I just don’t see how this piece is in any way news and these kind of articles have an unpleasant habit of multiplying once they gain traction. So I gave my opinion, via the ‘opinion away’ button.

        • Premium User Badge

          jrodman says:

          It’s interesting news, but the more interesting thing that could come from it is a discussion about where the boundary is in this kind of behavior. I wont’ say subterfuge but it wasn’t exactly forthcoming.

          The most interesting thing from my mind is why they tried to hide it? Was this really added to bust private servers? It would seem pretty innocuous if they had let people know and made it clear that this makes it much easier to troubleshoot server problems and identify game flaws.

          But your comment was a nice addition to try to help derail legitimate discussion.

          • mondomau says:

            I haven’t derailed anything – the majority of the discussion on here at the moment either about the inanity of this article or how the info is a meaningless internal account name, a fact that the Grayson glosses over. You can keep saying it is interesting and that a practice stretching back from from 2008 might be an account security risk, despite a total lack of evidence supporting that, but it doesn’t make the the whole issue suddenly pertinent.

    • MiniMatt says:

      Personally I find it all rather interesting. Not necessarily from a “ooh here’s my thing to get angry on the internet about today” perspective but just interesting that it’s going on.

      Kind of makes me assume that the speed with which Battlefield 3 NDA breakers were getting bumped might have had something similiar too.

      Plus, steganography is undeniably cool. Admittedly, I thought it cooler still when I thought it had something to do with dinosaurs, but still, it’s pretty damn cool.

      • Premium User Badge

        Llewyn says:

        I also found it interesting for pretty much the same reasons.

        I’m a little disappointed that the article doesn’t make it as clear as it could that the account names are not actually the names of the accounts that we use to log in to WoW. Reading the ownedcore thread last night it’s clear that some WoW players struggle with this distinction, and I’m certain that it will be misleading a lot of non-WoW players.

        However it’s worth pointing out that at one point this would have been a minor security issue. Blizzard have been watermarking screenshots with WoW account names since before the use of Battle.net accounts became mandatory.

      • sybrid says:

        Steganography should be the art of hiding stegosauruses in messages because that’s more awesome.

        We’ll have to make do with its actual meaning.

        • Premium User Badge

          Lord Custard Smingleigh says:

          No, it’s writing with stegosauruses. Or possibly drawing with them, I’ll give you that.

    • Metonymy says:

      Normally I dislike shitposting, even when it has an official sanction, but anything that reveals the harmful or disrespectful activity of a company is desirable.

    • zaphod42 says:

      Notice how RPS does you a huge favor and has quick blurbs about each article on the main page?

      If you read a blurb you aren’t interested, JUST SKIP IT.

      Seriously, shut the fuck up. Some of us really like this website, and found this article interesting.

      Blizzard, one of the biggest gaming companies right now, violated its own TOS, up to 6 years ago? Thats some crazy conspiracy shit, and its confirmed news. This is the kind of thing RPS exactly SHOULD be covering.

      If it isn’t your cup of tea, you’re free to skip it. Seriously, dude, get the fuck over yourself.

      There’s tons of articles on things I don’t give a crap about, Do I go and post in the comments “This news story was boring, TLDR” NO, I GET THE FUCK ON WITH MY LIFE.

      • Premium User Badge

        Llewyn says:

        2008 is not six years ago. Unless my afternoon nap overran significantly.

    • airmikee says:

      I missed the part of RPS’s ToS that says they can only post news that YOU find interesting.

    • mwoody says:

      Yeah, I agree. These articles are so… I guess whiny is the word. It just doesn’t seem in keeping with the rest of the site.

      “Negative,” that’s the better description. I don’t come here to hear about what new kinda-maybe-sort-of-if-you-squint-bad thing some big video game company has done; I want to read about games and gaming and game developers. I mean, I enjoy the occasional hack jobs on targets that really deserve it, like the flight sim one over the weekend, but this just feels petty and unbecoming.

  3. Senthir says:

    Nowadays, everyone’s WoW account name is their email address. A huge, huge portion of the time, this is the same email address they make publicly visible in their forum profiles on websites dedicated to WoW information, like mmo-champion.

    • Premium User Badge

      jrodman says:

      Yeah, but it turns out the ‘account id’ for modern accounts is just the blizzard internal number, not the string you enter. So all someone sniffing would find out is a number they (probably) can’t use to try to log in.

      For old accounts it seems to be an actual string though.

      • LazyBoot says:

        But even on old accounts that string can’t be used to log in anymore…

  4. SkittleDiddler says:

    As much as I love seeing Blizzard get chewed up by the media, isn’t this a complete non-issue?

    • Premium User Badge

      jrodman says:

      Not really. It doesn’t seem to be a serious security issue, but it’s a failure of trust worth discussing.

      • SkittleDiddler says:

        That was part of my point though — Blizzard pulls this crap all the time. This type of article is just filler.

        • Premium User Badge

          jrodman says:

          Okay, from that perspective I guess I have to agree.

        • Hoaxfish says:

          But if I don’t have articles like this how can I add it to my book of grudges!

          If we dismissed things as “well, we already knew they were dicks” EA would only have a slightly blemished record rather than a mountain of crap.

          • The Random One says:

            Agreed. When you say crap like this is not news you’re essentially saying it’s normal and to be expected, so companies will feel okay doing similar dickery in the future.

  5. Slinkyboy says:

    Fuck Blizzard. Boycott everything.

  6. razgon says:

    What are these Acct names the title speaks about? Or did someone steal part of the word?

    • MiniMatt says:

      As jrodman notes above, it looks to be account IDs rather than account names, ie the internal string of numbers which represent an account in the Blizz database.

      edit: oops, you were referring to the title usage of “acct” rather than “account”? In that case, yep “acct” is just an abbreviation of “account”. I guess it was to ensure the title wasn’t too long. Or Nathan’s keyboard might be missing some letters.

  7. Zombiewomble says:

    You really should point out that this is Blizzard’s internal account name, not the e-mail address you use to log in. These have been different things since the battle.net merger – indeed, I think accounts newer than that just get a gibberish alphanumeric string for “account name”. The additional risk to account security from this is marginal to negligable, unless you’ve posted screenshots with your password in plaintext publically and someone with access to a compromised list of battle.net and WoW account names starts trying to dig through them.

    (And not specifying until after clicking into the post that it’s not *your* IP address is a bit leading.)

    • Torgen says:

      I read about this yesterday, and it wasn’t until I read this RPS article that I found that the IP address was the shard IP address, not the player’s IP address. So yes, you whiners, this is news, and this RPS article is informative.

  8. AbyssUK says:

    I welcome the article, more news outlets should pull up comapnies being stupid with our data, non issue or not they have a duty of care to look after any information we share with them.

    *sigh* I wish more people cared about there own personal data security, then we wouldn’t have problems with governments happily eroding our online freedoms. Wake up sheep! the more little bits of data we deem a non issue the more will be taken away.

    • Simes says:

      So, internal account number, server IP address, server timestamp. In what way is any of this “information we share with them”?

      • Tuimic says:

        This. It’s an internal account number that means nothing outside of Blizzard. I don’t even know what my internal account number is, so it’s hardly personal.
        The rest is so obviously not personal information unless we’re counting times I played a game at on someones server as personal information?

        • Premium User Badge

          jrodman says:

          Well don’t be *too* certain. It could turn out that knowing your account ID is useful in another attack vector which isn’t currently publically known. I’m not betting on it, myself, but I don’t think publishing this internal data to the world was really a good idea.

          Would I feel better if the data was public/private key encrypted so only blizzard could read it? Unsure.

          • Tuimic says:

            That’s the part I find really funny about all of this. Up until a few days ago nobody knew about this happening. Now people are flipping out that the information could be used in bad ways against players. So what do they do? They explain fully on how to extract the information so you can see for yourself and then manage to kick up such a fuss on Reddit that every game related news site and their sister sites all report on it.

          • mwoody says:

            Then THAT would be the article, not this.

        • Milky1985 says:

          The timestamp could be considered private information, as its giving out to public (without your knowledge) as to what time you were playing the game.

          • Joof says:

            Yeah, absolutely outrageous. Imagine if your computer stamped every file created on your computer with a Date Created tag that gives the date and time it file was created. There would be outrage everywhere!

  9. TehTR says:

    The sensasionalism of these news are simply a case of not RTFA’ing in the first place.. This “feature” was implemented during the closed alpha of the WOTLK beta, why? to track down people that broke NDA and posted screenshots. Since the only thing this thing lists is your account ID (not username) server IP, and the timestamp of the screenshot, it is ONLY usable to track a screenshot down to a user IF you have the details blizzard has.

    • jalf says:

      Not quite true. It is also useful for determining if two screenshots come from the same user account (I don’t know what you’d use that for, but I’m sure someone can think of something).

      Not immediately useful, but a few odd bits and pieces of information are often all you need for some nasty social engineering.

      • trjp says:

        That ranks in triviality alongside the ‘exploit’ someone found with Dropbox whereby through checking upload speeds on files you could work out that someone on Dropbox had already uploaded the same file (because Dropbox is smart enough not to upload the same file twice).

        News Update: someone in the world has the same file as you – privacy is a thing of the past eh?

        I’m 99.9% sure this is down to tracking-down people who break NDAs and they forgot to disable it properly when the code went live…

  10. tyren says:

    There are some inaccuraies either in this story or in the version posted by WoW Insider and Kotaku – I’m not sure which, but oddly I’m inclined to believe the Kotaku article is the accurate one since its source (http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-general/375573-looking-inside-your-screenshots.html) goes into much more detail than the Slashdot post the PC Gamer article this post sources refers to.

    Having said that, this needs to be clarified: Account NUMBERS are included in the watermark, NOT ACCOUNT NAMES. These numbers are publicly accessible by anyone via the Armory and cannot be used to access your account.

    • Premium User Badge

      Llewyn says:

      Those are WoW account names. The numeric ones are auto-generated when a new WoW account is created within a Battle.net account. For WoW accounts created prior to Battle.net integration and subsequently merged they remain the original names used for the accounts.

      What they are not is Battle.net account names, which are what is now needed to access accounts. However at the time that Blizzard started watermarking with this info the WoW account name was the one used to connect.

      • tyren says:

        The equivalent to account names that gets generated when you make a new account post-battle.net is “WOW1, WOW2,” etc, not a random string of numbers.

  11. razorramone says:

    “That information alone, thankfully, isn’t enough to compromise your account. It could, however, certainly aid in the process.”
    Erm no, no it couldn’t. As the very next paragraph points out, it can be used for jack shit.

    • airmikee says:

      ““The contained information can be easily recovered and decrypted by hackers, which compromises the privacy and security of our accounts! For example, someone could use this to identify which account holds which characters and perhaps stalk and annoy its user, or help perpetrators choose their phishing victims with a more targeted approach… It can be used by hackers to link alt characters to accounts and target specific spam or scam attacks, and it can be used by Blizzard to track down private WoW servers.””

      Yep, that paragraph definitely doesn’t detail anything.

  12. lucian says:

    It is very likely that the watermark is there in high-quality JPEG and PNG screenshots as well, but cannot be discovered just by sharpening the image. I would guess the only reason anyone found it in those JPEGs is because it created artefacts at lower quality.

    So the watermarks are probably in all screenshots, if any watermark exists at all.

  13. hjd_uk says:

    Meh, that data is easily available anyway.

    Plus: Steganography is Cool!

  14. Kaira- says:

    Right, correct me if I’m wrong but wasn’t it account ID instead of account name? Or is this somehow the same thing on Blizzard’s systems?

  15. Cameron says:

    Well this means that if you have posted one screenshot that can be attributed to you personally then every other screenshot that you have taken can also be as they contain the same information.

  16. Tei says:

    I could use some money. Maybe I can start building a database of accountID bnet username, and sell that database to somebody.

    Blizzard has proven to be a dick by doing that to normal screenshots. Is short of gray area to do this to screenshots of closed betas with a NDA, but doing this to production and not telling people is just dirty.

  17. Ritashi says:

    All of the information contained in those watermarks is meaningless to an ordinary player. All of it. It is also meaningless to hackers. The only useful thing it provides is the server IP, which can be easily used to trace down private servers. It also helps mark when you break an NDA. Otherwise, the information contained in these screenshots is worthless. Absolutely, completely worthless. There is nothing these screenshots will allow you to do that you couldn’t do with a bit of ordinary detective work, save for being able to identify that two characters come from the same account (and only if you provide character names along with each screenshot), which is not information that can be used to in any way compromise your account.

  18. Srethron says:

    It seems reasonable to assume other Blizzard games (Diablo 3, Starcraft 2) do this is as well. How much do you want to bet?

  19. Rhin says:

    Title Including “IP Info” about the server IP is highly misleading.

    NEWS UPDATE: RPS COMMENTS REVEAL YOUR USERNAME, AND IP INFO **

    (** IP info of RPS web server, not yours )