Forgot your password?
Privacy Games

Activision Blizzard Secretly Watermarking World of Warcraft Users 272

Posted by timothy
from the information-theory dept.
New submitter kgkoutzis writes "A few days ago I noticed some weird artifacts covering the screenshots I captured using the WoW game client application. I sharpened the images and found a repeating pattern secretly embedded inside. I posted this information on the OwnedCore forum and after an amazing three-day cooperation marathon, we managed to prove that all our WoW screenshots, since at least 2008, contain a custom watermark. This watermark includes our user IDs, the time the screenshot was captured and the IP address of the server we were on at the time. It can be used to track down activities which are against Blizzard's Terms of Service, like hacking the game or running a private server. The users were never notified by the ToS that this watermarking was going on so, for four years now, we have all been publicly sharing our account and realm information for hackers to decode and exploit. You can find more information on how to access the watermark in the aforementioned forum post which is still quite active."
This discussion has been archived. No new comments can be posted.

Activision Blizzard Secretly Watermarking World of Warcraft Users

Comments Filter:
  • by Penurious Penguin (2687307) on Tuesday September 11, 2012 @09:20AM (#41299383) Homepage Journal
    HP (and others) used to, or maybe still do, use watermarking in printers to hide data revealing time, printer type, etc. [] []
    ~ Meta data is watching
  • Re:Ouch (Score:3, Informative)

    by Anonymous Coward on Tuesday September 11, 2012 @09:24AM (#41299413)

    More then you think. It was a feature in spore. It let you drag the image to the game and the game would pick up the animal in the image. It was an awesome feature.

  • by Anonymous Coward on Tuesday September 11, 2012 @09:26AM (#41299455)

    If you read the thread, other people have actually decoded those "compression artifacts", and even wrote a tool to do it so, no, those aren't just artifacts.

  • Substantiated Fact (Score:5, Informative)

    by L4t3r4lu5 (1216702) on Tuesday September 11, 2012 @09:30AM (#41299511)
    This post has a script to save the watermark only []

    Next time, actually read the thread before posting.
  • by kgkoutzis (1018536) on Tuesday September 11, 2012 @09:30AM (#41299515) Homepage

    From reading the thread, the artifacts do not appear when JPEG quality is set to 10 (i.e. maximum) or if a non-lossy algorithm is used (like TIFF or PNG). If this was meant to be a watermark, the programmer who wrote the algorithm should be fired.

    These are most likely JPEG compression artefacts.

    They did this on purpose, in order to avoid having their watermark identified when viewing the images in really high quality. An Assembly expert wrote some code that allows you to add this watermark on purpose in the high quality images: [] We also decoded the content of the watermark and it indeed contains the account information, as mentioned. It is NOT artifacts. Please read the full forum post before posting dis-informative comments. Thank you.

  • by Anonymous Coward on Tuesday September 11, 2012 @09:37AM (#41299623)

    I'm not surprised the commenter above didn't read the posts following the first post of the source.

    What's important are these posts:

    1.) Disassembly from the Mac OS X client, which shows watermark functions triggered in the screenshot routine.

    2.) Using a memory modifier, the client is edited to only save the watermark (discarding the actual screenshot) even in JPEG 10 and Lossless formats. Completely disproves compression artefacts theory.

    3.) Further disassembly shows the following are included in the watermark: Account Name, Realm Info (Serialized, unknown content), Realm IP, Timestamp

    You really should read some of the posts in between as well, linking Digimarc to Blizzard Activision, patents filed by Digimarc describing precisely this watermarking technique (and possible predecessors), and how the payload (88 bytes) is repeated multiple times exactly to 5808 bytes in order to survive anticipated resizing and further compression.

    Whilst I'm sure they may have good intents (for support maybe? giving benefit of the doubt here), it's these kinds of tricks being pulled by digital companies whilst keeping consumers in the dark that really turns me off.

  • by Anonymous Coward on Tuesday September 11, 2012 @09:51AM (#41299867)

  • Re:Why? (Score:5, Informative)

    by RogueyWon (735973) * on Tuesday September 11, 2012 @09:57AM (#41299963) Journal

    I'm assuming you're just being sarky, but the question sort-of merits a proper answer in case anybody is actually interested. There are a few reasons:

    1) Proof of a particular achievement. Guild websites etc frequently post screenshots of kills of new bosses (or of Arena victories if they're PvP focussed) to demonstrate the level they're playing at as an aid to recruitment. You see less of this these days, since the game added an actual achievement system, along the lines of that seen on Xbox Live or Steam.

    2) Guides and walkthroughs for particular parts of the game (generally boss fights). There's a trend these days towards using youtube videos as a substitute for more traditional text-and-pictures guides. Now, youtube videos can have their place in describing MMO encounters (though I hate, loathe and despise them as a susbstitute for walkthroughs for offline games), but text-and-pictures is still much more convenient for a quick-reference guide and people are still making them.

    3) Requests for technical help. Something along the lines of "hey, guys, I installed addon x, but it doesn't seem to be working properly - here's a screenshot".

    4) Random silliness - either "look, I managed to get my character somewhere that's supposed to be inaccessible" (which you see less of these days) or "look, we used 500 dead gnomes to spell out "bumpoo" in giant letters across the Barrens".

  • by Mortimer82 (746766) on Tuesday September 11, 2012 @10:13AM (#41300141)

    The thread indicates it may have appeared during WotLK alpha builds and only contains:
    - Account name that was used pre-BNET or otherwise a post-BNET numeric account name. (email address is NOT included)
    - IP address of the realm you are connected to, NOT the client IP. (However, this could be used to identify pirate servers).
    - The time the screenshot was taken

    I suspect it was most likely used to catch people leaking imagery of alpha builds which were not allowed to be made public. WotLK was the last WoW expansion Blizzard tried to keep secret for the alpha, but everyone was leaking it despite very clear NDAs having to be agreed to by all who participated. With their next expansion, they didn't bother with an NDA outside of a very small group of initial internal testers.

    I wouldn't call this any kind of breach of privacy as none of the information is personal. An account name can only be matched to a real name by Blizzard and only if you play on their servers.

    Of course privacy zealots will say otherwise, but each to their own.

  • Interesting, but... (Score:5, Informative)

    by ildon (413912) on Tuesday September 11, 2012 @11:20AM (#41301135)

    This is pretty interesting, but I think the OP is trying to spread FUD about what the implications of this data are. There is no personally identifying information contained in this watermark. It contains the server IP, server time, and account name. That's it. Now there's a lot of confusion about what "account name" means, so let me explain it for those who don't know.

    About the same time that this watermark apparently showed up (2008, the 3.0 patch associated with the WotLK expansion), Blizzard converted the WoW login system so that it was integrated with their new 2.0 login system. At this time, it became necessary to login to WoW using your account's email address instead of your traditional account name. That traditional account name is what's being encoded into the watermark, not your email address login. If you created an account after the 2.0 merger, then your "account name" is a unique string that isn't even display to its owner. Anywhere in the account management webpage or login screen that this string would appear, it instead displays "WoW1", "WoW2", etc. (if you have more than one account).
    So there's basically no way to associate this "account name" with your login information, real identity, etc. If you play on a private server, that account name is going to be based on the private server's login system, not Blizzard's login system.

    It's pretty obvious what the real purpose of these watermarks were: to identify users who violated the NDA of their closed betas and ban them from the beta, identify users attempting to sell their account, and possibly to identify the IP address of private servers to assist in attempting to shut them down.

    Further, the probability that these info could be used to help harvest accounts for gold selling or to phish for accounts seems ridiculous. It'd be highly inefficient to spend so much time on a single user when for far less effort you could just spam a million harvested email addresses.

  • Re:Other games? (Score:3, Informative)

    by Anonymous Coward on Tuesday September 11, 2012 @11:21AM (#41301163)

    It contains the account name (which cannot be used to login anyways since you have to use a ID to login now), and the IP of the server you're playing on (which is public anyways), and the timestamp. Not sure if I know what info you're talking about that "basically gave hackers all the info they needed to hack accounts."

  • Re:Bootstrap (Score:3, Informative)

    by TheRealGrogan (1660825) on Tuesday September 11, 2012 @01:21PM (#41303069) uses "round robbin" style mirroring. You connect to that host, and it automatically directs you to an ftp server.

    That's how I do it, anyway:

    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> cd /pub/firefox/releases/15.0.1/win32/en-US
    250 Directory successfully changed.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r-- 1 ftp ftp 17790056 Sep 05 18:41 Firefox Setup 15.0.1.exe
    -rw-r--r-- 1 ftp ftp 189 Sep 05 18:41 Firefox Setup 15.0.1.exe.asc
    226 Directory send OK.
    ftp> get "Firefox Setup 15.0.1.exe"
    local: Firefox Setup 15.0.1.exe remote: Firefox Setup 15.0.1.exe
    200 PORT command successful. Consider using PASV.
    150 Opening BINARY mode data connection for Firefox Setup 15.0.1.exe (17790056 bytes).
    226 Transfer complete.
    17790056 bytes received in 4.45 secs (3.9e+03 Kbytes/sec)
    ftp> bye
    221 Goodbye.

  • Re:Bootstrap (Score:2, Informative)

    by damien_kane (519267) on Tuesday September 11, 2012 @03:48PM (#41305259)

    FTP which on windows workstations is handled, by default, by IE and to get a ftp client like filezilla you will probably use a browser, - chicken vs egg

    [Start] => Run => cmd.exe

    A native CLI FTP app has been included in Windows since (iirc) Win95.

nohup rm -fr /&