MAJOR Security flaw in HTML 5 Publishing links!
beefy_clyro
Member Posts: 5,394
Hi Everyone
Seen this a few times now so thought i'd create a thread to hopefully stop you doing this.
When you publish to HTML 5 and then copy the link to the forum, make sure your link is like this only;
http://gamesalad.com/game/55555
If you post a link similar to this;
http://gamesalad.com/game/55555?GSCVersion=0.9.71&tokenUsername=YOURUSERNAME&token=c01a82e6d0d316b85f308cf4ac001b70615f91a490620cce012a4dada06be67a
Where 'YOURUSERNAME' is actually your real GS username, if people click that full link they login as you under your account. This means they have access to EVERYTHING!!! Be Warned and be very CAREFUL, i have emailed support@gamesalad.com and bugs@gamesalad.com so hopefully they will sort this immediately.
Note - The example links i have provided have been edited so they will not lead to any games, didn't want to post close to anyones real links!
Seen this a few times now so thought i'd create a thread to hopefully stop you doing this.
When you publish to HTML 5 and then copy the link to the forum, make sure your link is like this only;
http://gamesalad.com/game/55555
If you post a link similar to this;
http://gamesalad.com/game/55555?GSCVersion=0.9.71&tokenUsername=YOURUSERNAME&token=c01a82e6d0d316b85f308cf4ac001b70615f91a490620cce012a4dada06be67a
Where 'YOURUSERNAME' is actually your real GS username, if people click that full link they login as you under your account. This means they have access to EVERYTHING!!! Be Warned and be very CAREFUL, i have emailed support@gamesalad.com and bugs@gamesalad.com so hopefully they will sort this immediately.
Note - The example links i have provided have been edited so they will not lead to any games, didn't want to post close to anyones real links!
Comments
So i can't really prove whether you or I found it first, nor do i care to be honest, just giving everyone a heads up.
I personally never liked that first link it gives when you publish So I have always gone and got the short one but I had no idea about it logging you in.
Thanks again.
That being said, please don't pass around this "long" link. In the mean time, we'll be putting in some fixes that will make this link safer. (Quicker expiration, forwarding a user to the same page without the token parameters, etc).
Thanks for the catch! Sometimes when you're developing, you forget how people might slip and give out data that they were not meant to.