Today it was reported on the scrapheap-challenge.com forums that a serious security vulnerability had been found on the much lauded new EveOnline forums, as poster Catari Taga relates:
As I was messing with the new official forums, adding an oversized image to my signature, running a little script that would like all of my posts as many times as I wanted, inject some javascript into my posts, etc., I noticed that I could also post as any character in EVE on those forums, including developers. So if you want CCP Hammer to say that Incarna is cancelled, CCP StevieSG to declare her neverdying love for you or Chribba to endorse your newest scam, just let me know and I can make it happen…
Yeah, since I’m a good guy I’m trolling about doing it for you but very serious about being able to make it happen, and it’s so ridiculously easy that I guarantee you other people will do it.
New forums are a joke.
A few minutes ago CCP posted this announcement in their facebook page among several other social media sites, where they will be temporarily shutting down their new-forum services until they finish “investigating some issues”:
Then just as the seen cannot be unseen the unexpected became expected as Catari Taga wrote:
I’m banned btw., account, IP, everything. Go go CCP (you are lame but we knew that).
We approached Catai Taga regarding the methods he used and the actions taken by CCP against him he replied:
they took the entire forums down in response to this and, as expected, banned me.
I will not share the details of how I did anything other than saying that for all practical purposes those forums were as insecure as you could possibly make them. The only “tool” I used for this was my browser by the way, and it all started when I wanted to add my image signature again. I did not mess with the server directly (although some other people did that) or do anything that could remotely be considered harmful, but from the results I was seeing I am sure it was possible to go there.
If you publish anything about this I think you should tell your readers that this issue was limited to the forums, to the best of my knowledge other EVEGate functionality was unaffected by this.
I think it is redundant to mention this isn’t the first time a player gets banned for pointing out vulnerabilities on CCP’s gameplay infrastructure or human resources.
Source [SHC]
On a personal note I would point out how “intolerant” CCP is with some players for breaking the EULA while flexibility is the norm with others who are not only breaking the EULA but the game itself.
R
