Well, there are some Plugins/CRs containing "auto update" functions. I'm just curious, closed source releases are prohibited, cause they may log information or other stuff. Those "auto-updaters" could possibly download any file and execute it without the user being aware of. So, I'm asking myself why those aren't prohibited. If my assumption is wrong, please explain it to me, thank you! regards
You are right. Even simple plugin can mail off your gold, send guild invite, PB profile can buy auction you dont want to transfer your gold to attacker. Well, I didnt see it happening yet. But its possible. Edit: well, sort of. You are talking about files that may harm your pc, well, I dont think that would be easy as what I described, but dont forget anyone whos attacking buddyforum do it because of WoW Accounts most of the time, and what they want is your gold. So I think you see my point.
Only reason you didn't see it happening is because you didn't look in the code. That's the whole point, you should be able to look in the code to make sure there is nothing malicious. I think randomstraw still puts a valid point, though.
thats not the thing. everything released here is open source and anybody can check exactly what it does. If it has the ability to download additional files not hosted @ the forums, which those "auto updaters" have, for example see thebrodiemans profile (no offense, its great!) which loads lots of stuff... which is not hosted here. furthermore the list of which files to download isn't hardcoded, those updaters will most likely checkout any file in a certain folder and download it, even execute it.
The auto-update stuff should be downloading code files that have to be compiled by Honorbuddy (unless they're profiles, in which case, well, XML doesn't get compiled). These code files are still accessible to you in the Honorbuddy folders, and can be read/edited at your discretion. Furthermore, because Honorbuddy only compiles the code on load (the reason you have to restart HB when a plugin updates itself), you can be sure that new code won't be executed prior to you having the chance to read it.
I edited my previous post. When you autoupdate something, it doesnt have to contain anything thats prohibited on forum - You can be cleaned of your gold with new method added in .cs file. Yes, you would know about it after you check code. But I, and most users doesnt check source every single time we update something.
I never really thought about this... it doesn't even have to pertain to gold it can be hardware effective too and we wouldn't even know about it this is kinda scary after reading this.
Exactly. You might not even be aware it updated, and then there might be new malicious stuff that you don't know about.
If you suspect any plugins/cc's of misconduct feel free to PM me a link or attachment and i'll check it out.
i am not accusing anyone, don't get this thread wrong! i just want to draw the attention to it, as its a possible security ... problem.
I understand that, but i get personal enjoyment analyzing binaries for malicious content, it passes time while at work
Everything that my plugin downloads does go to somewhere in the HB folder. Updates to itself, new and updated QBs and profiles. I'm not saying you're accusing anyone, because I know where your question is founded from, and it is a very good question. I also know that a few devs see the auto-update as a very good feature when placed in the right hands. Someone like me (purely for example) coming up with it available to you would raise the "that's awesome" response after months of having my dailies stuff out. However someone with a 2 week old account and a grand total of 4 points releasing a plugin that they say does tons, but no background or rep to back it...that I definitely would not try without some research. Very valid point though. It's all about trust. If kick, cava, and I put one out no one would question it. But if "istealzurgold420" puts something up as his/her first post...well... (names are purely fictional and any similarity to actual user is purely coincidental).
