http://img372.imageshack.us/img372/695/studio2a7nh.jpg
So I clicked on "My Account" and found yet another person's info:
http://img372.imageshack.us/img372/9946/st...studio2b0xs.jpg
I'm not so sure I want to place an order anymore...
Full Version: Studio 2 site leaking info!
I was toying with the idea of ordering a second copy of the LE (to supplement the one I was lucky enough to pick up at Gen Con) so I headed over to the Studio 2 site from the link provided on srrpg.com. However when I went to put the item in my cart the site was acting as if I was logged in...as someone else...despite having never even created an account with them:
http://img372.imageshack.us/img372/695/studio2a7nh.jpg
So I clicked on "My Account" and found yet another person's info:
http://img372.imageshack.us/img372/9946/st...studio2b0xs.jpg
I'm not so sure I want to place an order anymore...
http://img372.imageshack.us/img372/695/studio2a7nh.jpg
So I clicked on "My Account" and found yet another person's info:
http://img372.imageshack.us/img372/9946/st...studio2b0xs.jpg
I'm not so sure I want to place an order anymore...
You should report that to the people responsible for the site immediately. But I wouldn´t worry to much about ordering. There´s no privacy on the internet anyways.
Yeah, but this shit doesn't happen on most sites.
If their ordering department's as bad as their website, that'd explain where the mysterious missing 2 LE's went from my FLGS's order.
If their ordering department's as bad as their website, that'd explain where the mysterious missing 2 LE's went from my FLGS's order.
true
It's definitely something to report to the site. I tried it out and only kept getting that Michael Krell guy in Mr. Man's second screenshot. Then I tried a link to Studio 2 I'd posted elsewhere that I had made right off of their homepage. No info was listed. Then I tried the link here on Dumpshock again and the one on srrpg.com again and no information was listed.
Very odd. At least the billing info is going through PayPal, which likely doesn't have the same issues, whatever they are.
Very odd. At least the billing info is going through PayPal, which likely doesn't have the same issues, whatever they are.
Perhaps DSF traffic issues as people try to put an order in for an LE.
Ah! This again. This is quite dangerous. This shop (and another one i have seen yesterday) have security issues. Without going into detail:
The way, in which they construct their links and their database management allows someone simply by following this link to steal the session of the logged in user providing this link while being logged in.
This is not only bad, this is terrible.
I just checked the link on srrpg.com and got the personal informations of another guy who is using the same session id.
I will inform Adam immediately to change the link on srrpg.com and inform the shop.
[Lecture Mode]
Don't post links from shops while logged in Kids.
[/Lecture Mode]
The way, in which they construct their links and their database management allows someone simply by following this link to steal the session of the logged in user providing this link while being logged in.
This is not only bad, this is terrible.
I just checked the link on srrpg.com and got the personal informations of another guy who is using the same session id.
I will inform Adam immediately to change the link on srrpg.com and inform the shop.
[Lecture Mode]
Don't post links from shops while logged in Kids.
[/Lecture Mode]
They might be aware of this, which is why they are only allowing paypal purchases. Also, when I was logged into someone else's account I poked around just to make sure you couldn't do anything bad. Other then seeing and changing someone's personal identification, I couldn't cancel, place, or alter orders. So, other then seeing some dude's address, I couldn't actual do any harm.
EDIT: Also, if this happens to you, do them a favor and just log that account out. That'll prevent it from popping back up.
EDIT: Also, if this happens to you, do them a favor and just log that account out. That'll prevent it from popping back up.
True but it shouldn't happen in the first place.
Just imagine, someone with admin rights logged in, while someone with possible malicious intends logs in.
(I don't actually think that you can log in with admin rights through the front end interface in this shop, but who knows?)
Just imagine, someone with admin rights logged in, while someone with possible malicious intends logs in.
(I don't actually think that you can log in with admin rights through the front end interface in this shop, but who knows?)
| QUOTE (Darkness) |
| True but it shouldn't happen in the first place. Just imagine, someone with admin rights logged in, while someone with possible malicious intends logs in. (I don't actually think that you can log in with admin rights through the front end interface in this shop, but who knows?) |
True, I wasn't trying to defend it, just giving a polite work around.
Sorry if i sounded harsh. That wasn't my intend. 
As soon as Adam fixes the links, that problem won't arise anymore. Until then...
As soon as Adam fixes the links, that problem won't arise anymore. Until then...
Seems like someone fixed the links on srrpg.com
| QUOTE (Darkness) |
| [Lecture Mode] Don't post links from shops while logged in Kids. [/Lecture Mode] |
If they used a decently robust session-based login system, it'd require some sort of man-in-the-middle attack, rather than the simple clicking of a properly formatted link, to achieve what happened. People should have no fear of linking pages from sites they're logged into. If the site is at all secure (as an online store should be) the worst that should happen is that the link resolves to a "you are not logged in, please log in here or create an account" type page.
This is almost as stupid as putting password data in GETs. Come on, people...:/
| QUOTE (Wireknight) |
| If they used a decently robust session-based login system, it'd require some sort of man-in-the-middle attack, rather than the simple clicking of a properly formatted link, to achieve what happened. People should have no fear of linking pages from sites they're logged into. If the site is at all secure (as an online store should be) the worst that should happen is that the link resolves to a "you are not logged in, please log in here or create an account" type page. |
| QUOTE ("Blacken") |
| This is almost as stupid as putting password data in GETs. Come on, people...:/ |
I agree with you wholeheartedly on this one. And i was quite shoked that this secuity hole was so easily exploited.
Normaly session ID are either cookie based or, if that doesn't work because the clients browser does reject them, is added to the URL in form of a get. While the first method is safer than the latter, some companys forbid cookies, JavaScript and other things on their computers. So a customer loggin in from such machines, will do so to no avail if the shop strictly restricts session handling through session cookies. So if you want more happy customers who can buy during lunchbreak, you would have to allow the GET method to be used.
But if a session is handelt through a GET request, the shop software should at least store the session handle, the IP of the user who opened the session and the timestamp of the session in an database table, so that it can check if the IP calling for the session is the same as the one opening it, or - if not so- redirect to a login screen, and after a time of inactivity (in a shop 15 Minutes should suffice) close the session itself.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.