Using mods in World of Tanks is a security risk


World of Tanks is manually reviewing mods (modifications) they add to their Mod Hub. Before downloading they warn you about not taking any responsibility, but the Mod Hub itself – including the review process – creates the impression that their mods are safe.

Please note that Wargaming does not bear any responsibility regarding the use of modifications.


Mod developers are complaining that the review process is slow and because of that many mods are not up-to-date. This would not be a problem if there was not a design flaw in the mod interface. In the current architecture, just like in all the past versions, mods need to be placed in a directory that contains the version number of the current game release. This means that after every update (this does not apply to micropatches) all mods become nonfunctional, they must be updated, and uploaded to the Mod Hub for a new review.

Why mods pose a huge security risk?

Mods themselves consist of Python program code, images, and flashes. Python code is human readable and even Python Byte Code can be easily decompiled back to the source code. This makes checking mods easier and should provide tools for Wargaming Mod Hub reviewers to verify that there is no malicious code included in the Mod Hub. Unfortunately this works only in theory. Many mod makers appear to be obfuscating their Python Byte Code using PjOrion. The program breaks the byte code so that it cannot be decompiled and checked. This means that Wargaming Mod Hub have actually no real means to check the mods and make sure they are not malicious. There are several tools available for deobfuscating, for example Bytecode simplifier, but they do not work with the Byte Code that is embedded in the currently available mods.

I could, for example, write a mod that appears to be legitimate and useful, but hide into the mod malicious code that activates later so that Mod Hub reviewers will not see it at the time of the review. Or, I could trigger the malware of the mod remotely after the mod has been included in the Mod Hub because there are no restrictions (and cannot be) for what mods can do. Firewalls do not help because the game must have an internet and browser access in order to work, and mods are running with the same permissions. Antiviruses cannot deobfuscate code either to detect malware. Such malware could contain anything: a keylogger to steal passwords, encrypting user’s files for demanding ransom, installing a backdoor, etc.

How to fix this mess?

Wargaming should demand that the Byte Code in mods must not be obfuscated. This way malicious mod makers could be detected and rooted out. To fix the issue with updates, the mod architecture should be revamped. Mods should not be in a version specific directory and there should be a way to enable or disable them in case of problems. There could also be a warning telling that you have not updated your mods since the last game update, and an option to disable mods if the user is uncertain.

I quit using mods a few years ago thanks to the issue with updates. As long as mods are unsafe, I am going to trust only those mods that are not obfuscated or which I have created by myself.