This might be more of a suggestion, but it is a technical issue... I would like to suggest reprogramming the trading pages on the website to use HTTP "POST" submission method, rather than HTTP "GET", for two reasons...
1) It violates the HTML specification, as the form isn't genuinely "idempotent" (the only time that it is recommended to use "GET").
2) The user's account password appears in the address bar (as plaintext) after it is submitted.
Website Security Risk
Started by Crane, Jun 08 2010 09:35 AM
2 replies to this topic
#1
Posted 08 June 2010 - 09:35 AM
The Crane Temple Chairman
Main crits:
Crane
Europa
Don't kill themessenger mathematician!
Main crits:
Crane
Europa
Don't kill the
#2
Posted 04 July 2010 - 01:42 PM
This topic got quickly buried by another issue, but I can't help but feel that the password appearing as plaintext is a big security hole.
The Crane Temple Chairman
Main crits:
Crane
Europa
Don't kill themessenger mathematician!
Main crits:
Crane
Europa
Don't kill the
#3
Posted 06 July 2010 - 03:51 AM
Ticket from me to JLH...
Me: When using the site to class change a character, it asks for the name of the character and the account password and you click Next button. The new page loads and your character name and password are both displayed in plain text in the URL. Can't believe I never noticed this in the 8ish years I've been changing characters.
Oracle: Marking for JLH to review as he's the only one that can change code based things like that.
JLH: you are correct, that's how i did it many many years ago - there is no problems with this (unless someone is reading your internet history or watching your screen).
i guess it wouldn't hurt if i encoded it.
This is from quite a while back but there you have it.
Me: When using the site to class change a character, it asks for the name of the character and the account password and you click Next button. The new page loads and your character name and password are both displayed in plain text in the URL. Can't believe I never noticed this in the 8ish years I've been changing characters.
Oracle: Marking for JLH to review as he's the only one that can change code based things like that.
JLH: you are correct, that's how i did it many many years ago - there is no problems with this (unless someone is reading your internet history or watching your screen).
i guess it wouldn't hurt if i encoded it.
This is from quite a while back but there you have it.
1-alt: Inglastex Main: don't play
2 user(s) are reading this topic
0 members, 2 guests, 0 anonymous users