Uninformed: Informative Information for the Uninformed

Vol 2» 2005.Sept

Client namespace spoofing

With the release of Warcraft III, a separate account namespace was provided for users of that product, as mentioned above. The server internally keeps track of a user's account name as ``x#username'', where x is a digit specifying an alternate namespace (the only currently known namespace designation is 'w', for Warcraft III). This is known due to a message that exposes the internal unique name for a user to protocol clients. While the character '#' has never been permitted in account names, if a user logs on to the same account more than once, they are assigned a unique name of the format 'accountname#serial', where 'serial' is a number that is incremented according to how many duplicate logons of the same account there are. Due to a lack of parameter checking in the account creation process, it was at one time possible to create accounts,via a third party client, that were one character long (all of the official game clients do not allow the user to do this). For some time, such accounts confused the server into thinking that a user was actually on a different (non-existent) namespace, and thus allowed a user who logged on to a single character account more than once to become impossible to 'target' via any of the user management functions. For example, such a user could not be sent a private message, ignored, banned or kicked from a channel, or otherwise affected by any other commands that operate on a specific user. This was, of course, frequently abused to spam individuals with the victims being unable to stop the spammer (or even ignore them!). This problem has been fixed in the current server version.