chat bug a security issue?
By
Derangedpolygot,
Posted on: 2009-07-09 14:11 in ALL ACCESS Gameplay Technical Issues Bugs
If there is even the slightest possibility of the chat bug causing a security issue.. it needs to be shot to the -top- of the list of bugs and labeled "Priority". The fact that it has gone unfixed for 2 issues really irks me. Usually show stoppers are dealt with swiftly.
Story arcs:
The Golden Scepter: #9852 [Winner of American Legion's July 2011 AE Author Contest]
Let your voice be heard! Sign the petition to keep CoH alive.
Very intresting look at a "simple bug" on the outside.
Wow. I know I've had it vomit up cached keystrokes into my password field or login name when changing characters/accounts, but I haven't had it launch my pass into broadcast.
Yeah, I'd say that's a major security issue.
[u]Edit[u]
I PM'd Ghost Falcon with a link to this thread.
[ ProTip: The banner is a link to art refs!! | The Khellection | The HBAS Repository | Brute Guides (4/16/10) | How To Post An Image - A Quick Guide ]
Biggest Troll on the forums? I'll give you a hint:
<QR> Since the cache'd text isn't actually placed in the text field, you wouldn't have been able to log in. If you attempted to re-type it again, it will show up in the password field again the way you all describe, being doubled, and then it will tell you it was incorrect password again.
The way this bug is currently working, I don't see any way for it to place your password into the chat, because you would first have to type the password correctly into the password field (which wouldn't be cache'd at that point).
And even if you did mistakenly type the password by accident... people don't have any way to know what your username is... so there is NO risk at all... and if there is any chance you think somebody does know your username too, then you can easily change your password at any time before naybody gets a chance to do anything.
If your login name is the same as your Global, I'd highly recommend changing your login immediately.
The plastic tips at the end of shoelaces are called aglets. Their true purpose is sinister.
--The Question, JLU
thread based on a statement by forum poster to training room/latest patch notes thread. it seemed to need it's own space.
)
http://boards.cityofheroes.com/showflat....e=0&fpart=2
[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
Maybe I'm blind, but is the chat bug fixed in either build?
[/ QUOTE ]
Not unless it didn't make it into the patch notes.
*shrug* Might be harder to fix than anyone realizes.
[/ QUOTE ]
wwwwwwwweeeeeqqqqqqqqqqqsssMaybe so.
You'd think it would be high priority since it can actually "remember" your password from the login screen. If someone isn't paying attention, they could pretty easily broadcast their password to an entire zone.
It's not just a chat bug. It's a security issue, imo.
[/ QUOTE ]
interesting perspective on the chat bug, and one that needs to verified. to date i have seen a very few instances of captured text from a previous text session showing up due to the chat bug. at most it's been the last few letters of the previous text or a string of movement/action keying.
have you had it happen to you or have you seen it happen to someone else?
under what circumstances was a password revealed?
did it include a user name?
are a significant number of global names and account login names the same? (if yours, the reader's is, then obviously change it for your own peace of mind
inquiring minds and all that.
[/ QUOTE ]
Cathartic wrote -
[ QUOTE ]
Someone posted it a couple of weeks ago. They were very distraught. I haven't yet had time to find what thread they used.
Personally, I've had it remember a piece of my password upon login. I caught it, so I wasn't bothered by it too much. It happened after quitting to the login screen.
I also understand that without someone's username, it's harmless to see their password in chat. The only problem is that some people aren't quite as security conscious as others, so there's a chance that using a broadcasted password (if recognized as such) along with using a person's global name might allow access to the account.
In my time as a Titan Network helper, we actually had someone send us their username and password to link their account with the Titan sites. It was flattering for them to trust us like tat I suppose, but it showed just how careless people can be with their personal information.
(Note: The Titan Network never asks for sensitive personal information from any of their users. The above example was a mistake by the user. The user was informed that it may be wise to change their password just in case.)
[/ QUOTE ]
Kittens give Morbo gas.