Gaiscioch Select Chapter
POPULAR ADVENTURES:



ACTIVE ADVENTURES:





ADVENTURES:
Blood of Steel
Enshrouded
Conan Exiles
Elder Scrolls Online
Albion Online
Once Human
Skull and Bones
Ashes of Creation
Path of Exile 2
Throne and Liberty
Pax Dei
- Full List -
CHAPTERS:
Chapter 8:
Conqueror's Blade (2019)
Chapter 7:
New World (2021)
Chapter 6:
World of Warcraft: Classic (2019)
Chapter 5:
Elder Scrolls Online (2014)
Chapter 4:
Guild Wars 2 (2012)
Chapter 3:
RIFT (2011)
Chapter 2:
Warhammer Online (2008)
Chapter 1:
Dark Age of Camelot (2001)
Community
Events
CHARITY:

LEGACY EVENTS:


Search Gaiscioch.com:
137 Tuatha Guilds:
8,319 Members:
14,047 Characters:
11,709 Items:
  • Views: 9,249
  • Replies: 7

GW2 API keys, Privacy, and You

Laoch de na Iolair Dearg
Lakshmi
Laoch de na Iolair Dearg
  • GW2: Lakshmi.5941
Posted On: 09/24/2015 at 12:17 PM
  • Twitch
  • Extra-Life

I was going to make a blog post of this, but it turns out I don't have a blog.  Sorry for the length, but I wanted to put this out there.

 

What is the GW2 API?

I had a spare hour this week and decided to look into the Guild Wars 2 API. You may have already used this without realizing it: it's the service that powers WvWintel and similar WvW status apps.  

This summer ArenaNet extended the API to give out information about other parts of the game, and there's been a upsurge in new applications since. For the most part this is a very good thing. A lot of the information it exposes is general purpose: items, recipes, materials, dyes, WvW status, etc. This information is the same for everyone, so it doesn't require access to your account data.

 

Where the API key comes in

But the service can also share information about your account and characters. To access your data, an app needs your "API key". This is a passcode you request from the Guild Wars 2 account page.  

  • It's important to note that we're talking about in-game data only. Your email, login/password, credit card, and other outside-game details can NOT be accessed using the API.

The catch is the simplicity of API Key itself. It's a simple code which is essentially a free pass to your account's in-game data. As soon as you give the passcode to an application, you've released it 'into the wild'. Unlike when you grant Facebook access to a specific application, for example, this passcode can be used by other apps, other websites -- anywhere by anyone. It can be passed around, sold, even stolen from an application's database.

  • For the nerds among us: the GW2 API is a web service.  You call an endpoint using an http get or post, and the data is returned as JSON.  To request account-specific data, the API key is passed in the ?access_token= param in the URL -- no auth!   >More info  >Sample call.

 

What's the worst that can happen?  How likely is that?

First, this isn't a security issue. Handing out your API key won't make it easier for some bad guy to hack your account. But it is something of a 'gaming privacy' issue. Some examples of how your game data could be used:

  • Your total gold, or your stockpiles of materials could be published. For example, a "GSCH's Most Wealthy" list.
  • You could be pestered by random people trying to acquire something rare you happen to have in your bank.
  • Your current builds and gear for each character could be published, GearScore-style, without your consent.

Again, it's just in-game info. Some folks will care about keeping it private, others won't.

As for how likely it is that this will happen--it already is.  This week, GW2Efficiency.com published an interesting analysis of GW2 player wealth. They got the information using the API Keys of folks who registered to use their website. So far, they haven't shared any player-identified data publicly, and that's to their credit. But this proves they are storing the API keys, which leaves them open to an Ashley Madison style attack at the very least.

 

How can I protect myself?

The good news is that you can protect your GW2 API privacy in three ways.

 

1. Don't give 'em your key.

If you care about your gaming privacy, be wary of giving out your API Key in the first place. If the app or website doesn't need access to your data, don't give it an API key. For general game information find an app or website that doesn't require an API key.

 

2. Limit your risk from the keys you give.

To create an API key (or several), go to your account page, and choose the Applications tab: https://account.arena.net/applications/create

You can make multiple API Keys, and give them each a descriptive name and a unique set of permissions.  This is good thing--it gives you some control over how much access you give each separate app.

  • Create a separate key for each app
  • Give it the minimum permissions required to use the application
  • Be sure to give it a name to remind you which app you created it for

 

3. Delete unused and compromised keys!

This is your superpower to recall that passcode from the wild.  (Once deleted, a key can't be used to access your game data.)

If you no longer use an app, delete the custom key you made for it.  If you suspect a key has been compromised, delete it and make a new one to replace it.

 

Don't worry about running out of keys

As you can see from the pictures, these keys are really long! So long, in fact, that ArenaNet will have to generate a few trillion of 'em before they run out of unique ones. So reroll them as often as you'd like--I have (the ones in the pictures are already gone)!

 

I hope you find this helpful.

~Shmi

Last Edited on: 09/25/2015 at 08:39 AM
Awards & Achievements
Devotion Rank 20Valor Rank 15Fellowship Rank 20Explorer Rank 10Scholar Rank 9Artisan Rank 9Social Rank 6

Response:

Taoiseach de na Arach Glas
Foghladha
Taoiseach de na Arach Glas
  • GW2: Foghladha.2506
  • ESO: @Foley
Replied On: 09/24/2015 at 01:15 PM PDT
  • Steam
  • PSN
  • XBOX
  • Twitch
  • Twitch
  • Twitter

Can i include this in the mag Lakshmi?

"It's not the loot and accolades you walk away with, it's the memories and friendships that you cherish forever." - Foghladha
Awards & Achievements
Devotion Rank 20Valor Rank 20Fellowship Rank 10Explorer Rank 12Scholar Rank 15Artisan Rank 8Social Rank 9Mentorship Rank 6
Laoch de na Iolair Dearg
Lakshmi
Laoch de na Iolair Dearg
  • GW2: Lakshmi.5941
Replied On: 09/24/2015 at 02:27 PM PDT
  • Twitch
  • Extra-Life

Sure thing Fog.   I may want to change the second image with the snarky reference to GW2Efficiency first though :P

EDIT: image updated!



» Edited on: 2015-09-24 14:33:27

Awards & Achievements
Devotion Rank 20Valor Rank 15Fellowship Rank 20Explorer Rank 10Scholar Rank 9Artisan Rank 9Social Rank 6
Caomhnoir de na Aracos
PuaHone
Caomhnoir de na Aracos
  • GW2: monk seal.8079
Replied On: 09/24/2015 at 03:05 PM PDT
  • Twitch
  • Extra-Life

Thanks for the timely post.  I was going to use the GW2Efficiency site to track my pvp history, but I'll pass.

E lawe i ka manawa e hanu i na pua loke. Take the time to smell the roses.
Awards & Achievements
Devotion Rank 19Fellowship Rank 18Scholar Rank 3Artisan Rank 7
Laoch de na Iolair Dearg
Lakshmi
Laoch de na Iolair Dearg
  • GW2: Lakshmi.5941
Replied On: 09/24/2015 at 03:23 PM PDT
  • Twitch
  • Extra-Life

So Pua, your call.   I don't think GW2Efficieny is necessarily worse than any other app or website that stores your key in it's database.  I would have preferred they told us that they intended to datamine our personal account info at registration time, but it's probably just some solo developer.  I doubt he's given much thought to privacy before.

I made an API key with only Account and PVP checked, and tested it on GW2Efficiency.  I got errors in most places but the PVP report worked fine.  So that's an option -- limit the access to the parts you feel comfortable with them datamining.



» Edited on: 2015-09-24 15:42:23

Awards & Achievements
Devotion Rank 20Valor Rank 15Fellowship Rank 20Explorer Rank 10Scholar Rank 9Artisan Rank 9Social Rank 6
Ban Caomhnoir de na Ulchabhan Gorm
Thoi
Ban Caomhnoir de na Ulchabhan Gorm
  • GW2: Sess.2785
Replied On: 09/28/2015 at 06:21 AM PDT
  • Twitch
  • Extra-Life

Really interesting article.  I've been looking for different account sites that use your api key and wondered if you had any suggestions?

What is best in life?
Awards & Achievements
Devotion Rank 20Valor Rank 10Fellowship Rank 17Explorer Rank 2Scholar Rank 3Artisan Rank 7
Laoch de na Iolair Dearg
Lakshmi
Laoch de na Iolair Dearg
  • GW2: Lakshmi.5941
Replied On: 09/29/2015 at 03:34 AM PDT
  • Twitch
  • Extra-Life

Thoi, I haven't had time to evaluate the available apps yet.  Hopefully I'll get a chance in a couple weeks when my schedule eases up.

Awards & Achievements
Devotion Rank 20Valor Rank 15Fellowship Rank 20Explorer Rank 10Scholar Rank 9Artisan Rank 9Social Rank 6
Ban Caomhnoir de na Ulchabhan Gorm
Thoi
Ban Caomhnoir de na Ulchabhan Gorm
  • GW2: Sess.2785
Replied On: 09/29/2015 at 06:35 AM PDT
  • Twitch
  • Extra-Life

No rush.  Thank you so much for putting this together.

What is best in life?
Awards & Achievements
Devotion Rank 20Valor Rank 10Fellowship Rank 17Explorer Rank 2Scholar Rank 3Artisan Rank 7
[0.1922]