Using mods in World of Tanks is a security risk


World of Tanks is manually reviewing mods (modifications) they add to their Mod Hub. Before downloading they warn you about not taking any responsibility, but the Mod Hub itself – including the review process – creates the impression that their mods are safe.

Please note that Wargaming does not bear any responsibility regarding the use of modifications.


Mod developers are complaining that the review process is slow and because of that many mods are not up-to-date. This would not be a problem if there was not a design flaw in the mod interface. In the current architecture, just like in all the past versions, mods need to be placed in a directory that contains the version number of the current game release. This means that after every update (this does not apply to micropatches) all mods become nonfunctional, they must be updated, and uploaded to the Mod Hub for a new review.

Why mods pose a huge security risk?

Mods themselves consist of Python program code, images, and flashes. Python code is human readable and even Python Byte Code can be easily decompiled back to the source code. This makes checking mods easier and should provide tools for Wargaming Mod Hub reviewers to verify that there is no malicious code included in the Mod Hub. Unfortunately this works only in theory. Many mod makers appear to be obfuscating their Python Byte Code using PjOrion. The program breaks the byte code so that it cannot be decompiled and checked. This means that Wargaming Mod Hub have actually no real means to check the mods and make sure they are not malicious. There are several tools available for deobfuscating, for example Bytecode simplifier, but they do not work with the Byte Code that is embedded in the currently available mods.

I could, for example, write a mod that appears to be legitimate and useful, but hide into the mod malicious code that activates later so that Mod Hub reviewers will not see it at the time of the review. Or, I could trigger the malware of the mod remotely after the mod has been included in the Mod Hub because there are no restrictions (and cannot be) for what mods can do. Firewalls do not help because the game must have an internet and browser access in order to work, and mods are running with the same permissions. Antiviruses cannot deobfuscate code either to detect malware. Such malware could contain anything: a keylogger to steal passwords, encrypting user’s files for demanding ransom, installing a backdoor, etc.

How to fix this mess?

Wargaming should demand that the Byte Code in mods must not be obfuscated. This way malicious mod makers could be detected and rooted out. To fix the issue with updates, the mod architecture should be revamped. Mods should not be in a version specific directory and there should be a way to enable or disable them in case of problems. There could also be a warning telling that you have not updated your mods since the last game update, and an option to disable mods if the user is uncertain.

I quit using mods a few years ago thanks to the issue with updates. As long as mods are unsafe, I am going to trust only those mods that are not obfuscated or which I have created by myself.

0 thoughts on “Using mods in World of Tanks is a security risk

  1. indeed, you are correct
    this stuff happend around the update 1.0
    then it was known that some modmakers starting to use that kinda code
    so far my knowledge go they load small adds during returning to the garage (maybe even more then that)
    and yes they can remotely control that already to turn it on/off druing patch day\’s so modpacks/wg can never detect them. more mod makers have gone to the \”dark side\”
    i know a couple modmakers that use this method, those you cannot find in most modpacks
    modpacks themself kinda decided that those modmakers are banned.
    here is a link on how it should happen–samaja-strashnaja-ddos-igra

  2. All mods should be removed from the game including XVM. Then I can play better and win

  3. ***In the current architecture, just like in all the past versions, mods need to be placed in a directory that contains the version number of the current game release***

    That\’s why they release 10 patches a month. Just to break my mods with this ancient architecture….

  4. Pfffff, and this is why I pay for my AVS. Autoupdated, no need to screw around after every damn micro. Install once and relax.
    The question is why can one coder make a mod like AVS and keep it 100% working and the army of braindead monkeys in WG cant ?

  5. But Seb, we were in a same battle not long ago and you used xvm. Just confuses me when you say you don’t use mods…..

  6. Honestly, that article is one of the worst WG payed campaigns against forbidden mods. Who ever wrote it, has ZERO knowledge how the system works. It all looks like the black plague for the average Joe. But the whole article show nothing that can be called evidence.

    And you can read on koreanrandom how everyone is making fun of the whole story.
    Next WG BS please…

  7. What you missed was that there are some of us they have more than enough brains to sandbox games like this, thus any mean nasty never get to activate on your real machine.
    Sandboxing has been around since viruses started.
    I have been running several different version of sandboxing since the early 90\’s.
    I also run virtual machines. Try running a code on it…see how far ya get.

Leave a Reply