I don't think there's an exploitable factor here, certainly nothing that any so-called hacker wouldn't already know how to do. I haven't noticed anything in particular that spies on you, though take that with a grain of salt since I haven't looked deeply through everything. It's more likely just more overreach of their EULA. Most big companies go too far with their EULAs.
Mods are still a more possible source of malware than CurseVoice.
Typically, processes don't have access to one another's memory; a process can invoke another, but communication across the two requires special code to facilitate such an interaction. Even monitoring memory is a
serious violation of this compartmentalization, which is there specifically for security reasons. Lemme break down just one possible scenario:
- Attacker learns of Curse's ability to monitor the memory of external processes.
- Attacker finds the signature of the method call used to monitor memory and injects a special call to it somewhere else in an otherwise innocuous method.
- Because the memory monitoring code is already there, the attacker has a built-in window into the process memory of, say, World of Warcraft (I have no idea which game this thing actually monitors, just using it as an example). Using this window, he can monitor the goings-on of any WoW client being invoked/monitored by Curse.
- Attacked, using the same injection method as before, takes the results of the memory monitoring method (or something inside it) and streams it to a third-party location.
- Attacker now has access to anything that was, even temporarily, in memory for WoW.
Now, what could be in that memory?
God damned anything, for all we know. If the monitor can look at the stack used for function calls, it can easily,
and without much, if any, extra effort on the attacker's part, turn Curse into an impromptu keylogger. Attacker then distributes this as part of an, again, innocuous-looking modpack for Minecraft. Said pack contains something that looks perfectly harmless, looks like a library mod like CoFHLib or something, but it actually downloads this modified DLL to wherever Curse is installed. Bam, backdoor is created simply and easily. Bonus points for making the mod and pack look legit and use a lot of big-name mods on Curse to attract attention. Even if it only takes a day or two for people to catch on, that's a day or two's worth of data that the attacker now has on an arbitrary number of people, which could include account passwords for WoW. Using a username/password reuse attack, said attacker can now probe various things liked to any account on which he has the info: email accounts, forum accounts, up to and including online banking accounts.
That is why this is a glaring vulnerability. Its not
just because the memory monitoring itself is painfully dubious, it is, but that's beside the point, its because it leaves a backdoor open to anyone with the know-how. Granted, they could do this kind of DLL injection attack with or without the monitoring code in place,
but its presence makes it that much easier. It actually does some of the attacker's work
for them.
That is why, to me, this is so bloody alarming.
