By using this site, you agree to our Privacy Policy and our Terms of Use. Close

Forums - Website Topics - Sorting topics by date got stuck (on oldest to newest) and won't change back.

JOKA_ on 30 November 2016
Zkuq said:
JOKA_ said:

Also....just noticed that our hashed passwords are being saved in a cooke.  Thats....interesting.

More like worrying, no? At worst, it could mean that the site handles authentication using hashes instead of passwords.

Yeah, and the hash essentially becomes the password too.  If you copy your password cookie, log out, and then manually create the cookie you will be logged in without having to put your password in...



Platinums: Red Dead Redemption, Killzone 2, LittleBigPlanet, Terminator Salvation, Uncharted 1, inFamous Second Son, Rocket League

Around the Network
Zkuq on 30 November 2016
JOKA_ said:
Zkuq said:

More like worrying, no? At worst, it could mean that the site handles authentication using hashes instead of passwords.

Yeah, and the hash essentially becomes the password too.  If you copy your password cookie, log out, and then manually create the cookie you will be logged in without having to put your password in...

Oh right, simply copying the cookie works too. I didn't even think about that. If hashes are indeed used for authentication, I wouldn't be surprised if there was no salt either... Ah, combined with the lack of HTTPS, the security of this site sounds really scary. I hope no one's using this site through public WLAN. Best-case scenario, hashes are used for authentication because of the lack of HTTPS. Considering the overall security situation, I'm actually almost thinking that someone must already have hacked this site like years ago and no one's noticed.

So, uh, dev team (i.e. Trucks, I guess)? Maybe have a look at this security thingy over here because it seems kind of big? It seems there's at least two problems:

  • Hashes instead of passwords being used for authentication
  • The lack of HTTPS

EDIT:  The hashes also seem to fit the format generated by MD5. Ouch.



AZWification on 01 December 2016
Zkuq said:
JOKA_ said:

Yeah, and the hash essentially becomes the password too.  If you copy your password cookie, log out, and then manually create the cookie you will be logged in without having to put your password in...

Oh right, simply copying the cookie works too. I didn't even think about that. If hashes are indeed used for authentication, I wouldn't be surprised if there was no salt either... Ah, combined with the lack of HTTPS, the security of this site sounds really scary. I hope no one's using this site through public WLAN. Best-case scenario, hashes are used for authentication because of the lack of HTTPS. Considering the overall security situation, I'm actually almost thinking that someone must already have hacked this site like years ago and no one's noticed.

So, uh, dev team (i.e. Trucks, I guess)? Maybe have a look at this security thingy over here because it seems kind of big? It seems there's at least two problems:

  • Hashes instead of passwords being used for authentication
  • The lack of HTTPS

EDIT:  The hashes also seem to fit the format generated by MD5. Ouch.

Poor Trucks, he could really use some help right now..



                
       ---Member of the official Squeezol Fanclub---

Zkuq on 01 December 2016
AZWification said:
Zkuq said:

Oh right, simply copying the cookie works too. I didn't even think about that. If hashes are indeed used for authentication, I wouldn't be surprised if there was no salt either... Ah, combined with the lack of HTTPS, the security of this site sounds really scary. I hope no one's using this site through public WLAN. Best-case scenario, hashes are used for authentication because of the lack of HTTPS. Considering the overall security situation, I'm actually almost thinking that someone must already have hacked this site like years ago and no one's noticed.

So, uh, dev team (i.e. Trucks, I guess)? Maybe have a look at this security thingy over here because it seems kind of big? It seems there's at least two problems:

  • Hashes instead of passwords being used for authentication
  • The lack of HTTPS

EDIT:  The hashes also seem to fit the format generated by MD5. Ouch.

Poor Trucks, he could really use some help right now..

Definitely. :D These issues are something I might event want to help with myself, except for the fact that I don't know much more than some basics about any kind of web development. (And I'm also quite busy with my studies most of the time.)



JOKA_ on 01 December 2016
Zkuq said:
JOKA_ said:

Yeah, and the hash essentially becomes the password too.  If you copy your password cookie, log out, and then manually create the cookie you will be logged in without having to put your password in...

Oh right, simply copying the cookie works too. I didn't even think about that. If hashes are indeed used for authentication, I wouldn't be surprised if there was no salt either... Ah, combined with the lack of HTTPS, the security of this site sounds really scary. I hope no one's using this site through public WLAN. Best-case scenario, hashes are used for authentication because of the lack of HTTPS. Considering the overall security situation, I'm actually almost thinking that someone must already have hacked this site like years ago and no one's noticed.

So, uh, dev team (i.e. Trucks, I guess)? Maybe have a look at this security thingy over here because it seems kind of big? It seems there's at least two problems:

  • Hashes instead of passwords being used for authentication
  • The lack of HTTPS

EDIT:  The hashes also seem to fit the format generated by MD5. Ouch.

*deletes account*



Platinums: Red Dead Redemption, Killzone 2, LittleBigPlanet, Terminator Salvation, Uncharted 1, inFamous Second Son, Rocket League