GBATemp Account Exploit

[DavidRO99]

And how would you get somebody';s cookies? If it is as simple as running a script or a chrome extention, sure that might be a problem. But it isn't a prblem when you have to be on the network or have to know the email. It's kinda a non-problem at that point.

Phising, posting on an exploitable forum site with an specially crafted img, sure, extensions, maybe badly coded extensions

 

[cearp]

I only call three people on my phone

pizza hut, mother, father?
(my three choices)

 

[DavidRO99]

pizza hut, mother, father?
(my three choices)

stripper, pizza hut, uber xD

 

[Deleted User]

stripper, pizza hut, uber xD

Uber has a app, pizza hut is garbage, use a burner phone for stripper.

 

[prion]

This is completely standard behaviour and not really an issue at all for most people. If your browser didn't save session tokens then you'd constantly be manually re-authenticating with the site, which would be an undeniable pain in the ass.

Feel free to just block cookies from this domain if it's a problem for you though.

 

[Chary]

pizza hut, mother, father?
(my three choices)

No way! I have higher standards.

My mother, father, and DOMINOS PIZZA.

 

[cearp]

@Chary you're right, dominos is much better.
ppj is great too though.
out of the 3, i would say pizza hut is number 3.

 

[yodamerlin]

If someone has access to your cookies, then you have far bigger things to worry about.

 

[WiiUBricker]

Security issues should not be discussed in an open forum to prevent giving nefarious people bad ideas. Always direct security issues to the admins.
Though in this particular case I think it can be argued whether this is a security issue or not.

 

[yodamerlin]

Security issues should not be discussed in an open forum to prevent giving nefarious people bad ideas. Always direct security issues to the admins.
Though in this particular case I think it can be argued whether this is a security issue or not.

I'm going to add to this for people who do find a security bug. Report it to the whoever runs it, but make sure to give them a suitable time frame to fix it and release the bug if they don't. It's dangerous if bugs go unfixed, and many companies just won't take it seriously until it's public knowledge.

 

[Lightyose]

pizza hut, mother, father?
(my three choices)

My mom works at Pizza Hut.

 

[Boogieboo6]

My mom works at Pizza Hut.

My uncle works at Nintendo :^)

 

[Lightyose]

My uncle works at Nintendo :^)

Not joking.

 

[gnmmarechal]

My uncle works at Nintendo :^)

Ask him to take you to his work and wear a shirt with Smea's profile pic

Sent from my cave of despair where I collect souls

 

[Myshkin]

surely login sessions are salted ie the system employs per-session keys?

 

[DarkFlare69]

Show how somebody can steal somebody elses cookie and log into their account with it

Wouldn't you already need some kind of trojan in someone's computer to export their cookies? And you can just export their saved passwords..

 

[DavidRO99]

Wouldn't you already need some kind of trojan in someone's computer to export their cookies? And you can just export their saved passwords..

SQL Injection or just Phising

 

[DarkFlare69]

SQL Injection or just Phising

gbatemp isn't vulnerable to sql injection

 

[cearp]

gbatemp isn't vulnerable to sql injection

because the databases are in csv?

 

[astronautlevel]

because the databases are in csv?

I'm relatively sure that xenforo does use sql. However, a sql injection is unlikely in paid, professional software. Not saying it's impossible, but