GBATemp Account Exploit

[DavidRO99]

I think the admins should look into this so for debugging I made a tutorial!
I hope this is possible to fix by using some type of blocker as I dont want to see somebodys account get stolen by them not knowing what they are doing with their cookies.
This is possible using cookies so... here is how to do it!

• Step 1. Install EditThisCookie for Chrome
• Step 2. Go to GBATemp and click on the cookie
• Step 3. Click export and sign out of your account
• Step 4. Click back on the cookie and then on the Trash until there is no cookie left
• Step 5. Click on the Import icon
• Step 6. Paste the cookie you just copied and click on the checkmark
• Step 7. Refresh the page.
• Step 8. Be amazed at how this works on netflix aswell

 

[VinsCool]

What is this supposed to do, exactly?

 

[DavidRO99]

What is this supposed to do, exactly?

Show how somebody can steal somebody elses cookie and log into their account with it

 

[SomeGamer]

What is this supposed to do, exactly?

Be a rebel, log in without using the button designed for this exact purpose.

 

[VinsCool]

Show how somebody can steal somebody elses cookie and log into their account with it

Seriously? I think this is a serious technical issue admins should know about.

 

[DavidRO99]

Seriously? I think this is a serious technical issue admins should know about.

I know, and I know there is a way to fix it because it doesnt work on gmail. I just dont know how

 

[Luckkill4u]

Someone will have to get access to your cookies/computer first.

 

[Boogieboo6]

I think the admins should look into this so for debugging I made a tutorial!
I hope this is possible to fix by using some type of blocker as I dont want to see somebodys account get stolen by them not knowing what they are doing with their cookies.
This is possible using cookies so... here is how to do it!

• Step 1. Install EditThisCookie for Chrome
• Step 2. Go to GBATemp and click on the cookie
• Step 3. Click export and sign out of your account
• Step 4. Click back on the cookie and then on the Trash until there is no cookie left
• Step 5. Click on the Import icon
• Step 6. Paste the cookie you just copied and click on the checkmark
• Step 7. Refresh the page.
• Step 8. Be amazed at how this works on netflix aswell

But how'd you find this? Were you trying to hack GBATemp??

 

[DavidRO99]

Someone will have to get access to your cookies/computer first.

Really easy with SQL Injection/Phising

--------------------- MERGED ---------------------------

But how'd you find this? Were you trying to hack GBATemp??

Nah, just trying to get into netflix without owning a account(and I succeded xD) so I decided to try this with GBATemp

 

[AlanJohn]

Thank you for pointing this out. From now on, I will use GBAtemp in incognito mode only.
Can't let my mom check out my PMs! ;O;

 

[Lightyose]

I thought this was an alternate browserhax for 3ds...

 

[evandixon]

This is how the internet works. There's nothing the admins can do besides redefining how every website ever functions.

 

[DavidRO99]

This is how the internet works. There's nothing the admins can do besides redefining how every website ever functions.

Maybe what steam does? A verification system?

 

[Luckkill4u]

Really easy with SQL Injection/Phising

Lol you think its "easy"

 

[DavidRO99]

Lol you think its "easy"

It is easy.... there are plenty of tutorials about doing it with just an image for example. All you need is a vulnerable site.

 

[gnmmarechal]

Maybe what steam does? A verification system?

Two Factor Authentication? That could be implemented, I assume, but that can be annoying.

 

[Luckkill4u]

It is easy.... there are plenty of tutorials about doing it with just an image for example. All you need is a vulnerable site.

Phishing maybe if the user is stupid but SQLi is not easy, even if the vulnerabilities are there...

 

[Tenshi_Okami]

Why post the proccess tho, now people can use it to rob the accounts ;-;

you should had just sent it in a PM to mods...

 

[DavidRO99]

Two Factor Authentication? That could be implemented, I assume, but that can be annoying.

Still, it is more secure than just letting people play with your account

 

[astronautlevel]

It is easy.... there are plenty of tutorials about doing it with just an image for example. All you need is a vulnerable site.

I highly doubt Temp is vulnerable to SQL injection. Phising could also be used to get a password directly, there's no reason people would go out of the way to get the cookie instead.

Also, basically what @UniqueGeek said. There's no easy way around this because of how cookies work.