open All Channels
seplocked Issues, Workarounds & Localization
blankseplocked Corp info hacking via CEO/Director alts - VERY DANGEROUS EXPLOIT!
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

Kenny Camerman
Posted - 2011.08.28 22:10:00 - [1]
 

Edited by: Kenny Camerman on 28/08/2011 23:00:44
Edited by: Kenny Camerman on 28/08/2011 22:18:15
One of my corporation members sent the following mail to me moments ago. Effectively, he logged onto his CEO alt which belongs to an entirely different corporation, then logged onto his character in my Corp who is simply a normal member with no roles or titles.

This is what he sent me (where xxx is our corp name):



I have found a bug that allows any member of xxx w/o roles to see sensitive corp info on the map.

Plain and simple...when logging off from my CEO/marketing alt and on to my main, who is in xxx (this guy), I am able to see sensitive information on the map that I shouild not be able to see.

I do this by first logging on to my CEO alt, opening the star map, selecting 'My Information' and lets say..Deliveries.. or Impounded... or perhaps Property or even Corp Members in Space... (I have tried them all) then logging off of her and logging on to my xxx char and opening the star map.. and *presto* there I see what ever info i had selected in my CEO's map query.

I found this bug because every time I logged off my CEO alt w/o first closing my Deliveries hangar window, I would get a pop up telling me that I was 'not the role of Jr. Accountant / Trader' etc.. so I decided to experiment.

I'm usually not one to make light of such things but I thought you should know this as it poses a MAJOR security risk.

I have only spoken to (xxx director) about this tho I did not divulge any information I have gained thru examining this bug.

Info such as:

xxx deliveries:
system A
system B
system C

Offices:
system D
system E
system F
system G
system H

xxx PROPERTY
systm J

as well as members in space at any time.
---------------------------------------------------
I'm assuming this bug applies in other corps as well

...this is all information that I should not have, nor should anyone not assigned the appropriate roles.
This bug should be addressed, but I leave it up to you, as I don't want to be
the one responsible for... fixing EvE.



ShockedShockedShockedShockedShocked

Abdiel Kavash
Caldari
Paladin Order
Fidelas Constans
Posted - 2011.08.29 01:41:00 - [2]
 

Wait, so your main is in corp A, and your alt is a director in corp B. You look at the map with your alt, then relog, and which info you see with your main? That of corp A or B? I think what you are describing is seeing only info of B - which doesn't matter that much, as you have access to that anyway (since it's your alt).

If you can see info of corp A, then this is indeed a problem.

Rina Asanari
Posted - 2011.08.29 07:44:00 - [3]
 

If the data is shared between several accounts on the same client it would be a major security risk, definitely. Maybe quitting the client completely after logging off or clearing the cached data may work around that issue.

If the data is just shared between characters on the same account, the bug would require at least one of the three characters on the account to have the appropiate roles, so the account holder in question doesn't get any information he isn't entitled to have in any way.




Kenny Camerman
Posted - 2011.08.29 09:04:00 - [4]
 

Originally by: Abdiel Kavash
If you can see info of corp A, then this is indeed a problem.


This is exactly the issue


Kenny Camerman
Posted - 2011.08.29 09:34:00 - [5]
 

Edited by: Kenny Camerman on 29/08/2011 10:12:24

Originally by: Rina Asanari
If the data is shared between several accounts on the same client it would be a major security risk, definitely. Maybe quitting the client completely after logging off or clearing the cached data may work around that issue.



This seems to be what is happening - it is somehow carrying over the cached roles of his CEO character when he switched characters Confused


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only