 Studio 2 site leaking info! |
  |
 Aug 23 2005, 11:49 PM
Post
#1
|
|
|
Moving Target  Group: Members Posts: 313 Joined: 26-February 02 From: UCAS Member No.: 1,015  |
I was toying with the idea of ordering a second copy of the LE (to supplement the one I was lucky enough to pick up at Gen Con) so I headed over to the Studio 2 site from the link provided on srrpg.com. However when I went to put the item in my cart the site was acting as if I was logged in...as someone else...despite having never even created an account with them:
http://img372.imageshack.us/img372/695/studio2a7nh.jpg So I clicked on "My Account" and found yet another person's info: http://img372.imageshack.us/img372/9946/st...studio2b0xs.jpg I'm not so sure I want to place an order anymore... :eek: |
 |
 
|
|
Aug 23 2005, 11:53 PM
Post
#2
|
|
|
Karma Police Group: Dumpshocked Posts: 1,358 Joined: 22-July 04 From: Gothenburg, SE Member No.: 6,505 |
You should report that to the people responsible for the site immediately. But I wouldn´t worry to much about ordering. There´s no privacy on the internet anyways.
|
|
|
|
|
Aug 23 2005, 11:58 PM
Post
#3
|
|
|
Moving Target Group: Members Posts: 133 Joined: 10-August 05 Member No.: 7,548 |
Yeah, but this shit doesn't happen on most sites.
If their ordering department's as bad as their website, that'd explain where the mysterious missing 2 LE's went from my FLGS's order. :P |
|
|
|
|
Aug 23 2005, 11:59 PM
Post
#4
|
|
|
Karma Police Group: Dumpshocked Posts: 1,358 Joined: 22-July 04 From: Gothenburg, SE Member No.: 6,505 |
true
|
|
|
|
|
Aug 24 2005, 12:13 AM
Post
#5
|
|
|
Neophyte Runner Group: Members Posts: 2,078 Joined: 26-February 02 Member No.: 67 |
It's definitely something to report to the site. I tried it out and only kept getting that Michael Krell guy in Mr. Man's second screenshot. Then I tried a link to Studio 2 I'd posted elsewhere that I had made right off of their homepage. No info was listed. Then I tried the link here on Dumpshock again and the one on srrpg.com again and no information was listed.
Very odd. At least the billing info is going through PayPal, which likely doesn't have the same issues, whatever they are. |
|
|
|
|
Aug 24 2005, 12:19 AM
Post
#6
|
|
|
Dragon Group: Members Posts: 4,718 Joined: 14-September 02 Member No.: 3,263 |
Perhaps DSF traffic issues as people try to put an order in for an LE.
|
|
|
|
|
Aug 24 2005, 09:37 AM
Post
#7
|
|
|
Moving Target Group: Members Posts: 297 Joined: 26-February 02 Member No.: 248 |
Ah! This again. This is quite dangerous. This shop (and another one i have seen yesterday) have security issues. Without going into detail:
The way, in which they construct their links and their database management allows someone simply by following this link to steal the session of the logged in user providing this link while being logged in. This is not only bad, this is terrible. I just checked the link on srrpg.com and got the personal informations of another guy who is using the same session id. I will inform Adam immediately to change the link on srrpg.com and inform the shop. [Lecture Mode] Don't post links from shops while logged in Kids. [/Lecture Mode] |
|
|
|
|
Aug 24 2005, 09:46 AM
Post
#8
|
|
|
Target Group: Members Posts: 37 Joined: 27-January 04 Member No.: 6,028 |
They might be aware of this, which is why they are only allowing paypal purchases. Also, when I was logged into someone else's account I poked around just to make sure you couldn't do anything bad. Other then seeing and changing someone's personal identification, I couldn't cancel, place, or alter orders. So, other then seeing some dude's address, I couldn't actual do any harm.
EDIT: Also, if this happens to you, do them a favor and just log that account out. That'll prevent it from popping back up. |
|
|
|
|
Aug 24 2005, 10:20 AM
Post
#9
|
|
|
Moving Target Group: Members Posts: 297 Joined: 26-February 02 Member No.: 248 |
True but it shouldn't happen in the first place.
Just imagine, someone with admin rights logged in, while someone with possible malicious intends logs in. (I don't actually think that you can log in with admin rights through the front end interface in this shop, but who knows?) |
|
|
|
|
Aug 24 2005, 11:00 AM
Post
#10
|
|||
|
Target Group: Members Posts: 37 Joined: 27-January 04 Member No.: 6,028 |
True, I wasn't trying to defend it, just giving a polite work around. :) |
||
|
|
|
||
|
Aug 24 2005, 11:37 AM
Post
#11
|
|
|
Moving Target Group: Members Posts: 297 Joined: 26-February 02 Member No.: 248 |
Sorry if i sounded harsh. That wasn't my intend. ;)
As soon as Adam fixes the links, that problem won't arise anymore. Until then... |
|
|
|
|
Aug 24 2005, 01:14 PM
Post
#12
|
|
|
Moving Target Group: Members Posts: 297 Joined: 26-February 02 Member No.: 248 |
Seems like someone fixed the links on srrpg.com
|
|
|
|
|
Aug 24 2005, 05:34 PM
Post
#13
|
|||
|
Moving Target Group: Members Posts: 527 Joined: 26-February 02 Member No.: 1,118 |
If they used a decently robust session-based login system, it'd require some sort of man-in-the-middle attack, rather than the simple clicking of a properly formatted link, to achieve what happened. People should have no fear of linking pages from sites they're logged into. If the site is at all secure (as an online store should be) the worst that should happen is that the link resolves to a "you are not logged in, please log in here or create an account" type page. |
||
|
|
|
||
|
Aug 24 2005, 07:29 PM
Post
#14
|
|
|
Moving Target Group: Members Posts: 133 Joined: 10-August 05 Member No.: 7,548 |
This is almost as stupid as putting password data in GETs. Come on, people...:/
|
|
|
|
|
Aug 24 2005, 11:07 PM
Post
#15
|
|||||
|
Moving Target Group: Members Posts: 297 Joined: 26-February 02 Member No.: 248 |
I agree with you wholeheartedly on this one. And i was quite shoked that this secuity hole was so easily exploited. Normaly session ID are either cookie based or, if that doesn't work because the clients browser does reject them, is added to the URL in form of a get. While the first method is safer than the latter, some companys forbid cookies, JavaScript and other things on their computers. So a customer loggin in from such machines, will do so to no avail if the shop strictly restricts session handling through session cookies. So if you want more happy customers who can buy during lunchbreak, you would have to allow the GET method to be used. But if a session is handelt through a GET request, the shop software should at least store the session handle, the IP of the user who opened the session and the timestamp of the session in an database table, so that it can check if the IP calling for the session is the same as the one opening it, or - if not so- redirect to a login screen, and after a time of inactivity (in a shop 15 Minutes should suffice) close the session itself. |
||||
|
|
|
||||
|
|
Lo-Fi Version | Time is now: 11th April 2026 - 10:07 PM |
Topps, Inc has sole ownership of the names, logo, artwork, marks, photographs, sounds, audio, video and/or any proprietary material used in connection with the game Shadowrun. Topps, Inc has granted permission to the Dumpshock Forums to use such names, logos, artwork, marks and/or any proprietary materials for promotional and informational purposes on its website but does not endorse, and is not affiliated with the Dumpshock Forums in any official capacity whatsoever.