Get into others peoples accounts using a link

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

ID:76692

Jul 17 2009, 4:59 am

Cbgames

Resolved

Fixed

BYOND Version:	N/A (Website Bug)
Operating System:	Windows Vista Home Premium
Web Browser:	Firefox 3.5

Status:

Resolved (web)

This issue has been resolved.

Descriptive Problem Summary:
The key Flaksim gave me a link to a game which automaticly log me into his account on the BYOND website. The url contain a ?pid= with what seems to be a MD5 hash. I am not sure if this is a one off problem but I belive this to be a big security hole as even after the user changed his password I was still able to logon using the url.

I be happy to send you the link that allowed me onto his account via email.

Jul 17 2009, 5:01 am
Flaksim	On a note I use Google Chrome and Vista home basic

Jul 17 2009, 5:02 am
Proteen	God Bless America.

Jul 17 2009, 5:02 am
Flaksim	the ?pid= part is only visible when the page is loading