Text only | Text with Images

2000 AD Online Forum

2000 AD => Website and Forum => Topic started by: Dudley on 21 August, 2003, 08:14:15 PM

Title: Security um... thingie
Post by: Dudley on 21 August, 2003, 08:14:15 PM
If you delete all your cookies (like my computer regularly does), you have to sign in again before you can use message board etc.

You're asked for your username and password.  

If you put in your username then say "Email Password", a page comes up saying "your password has been emailed to..." and your email address.  That means that anyone can find out the email addresses of anyone who has posted on this website.  

Most people won't mind this, but it is a bit of a security weakness.  Surely you don't need to say which email address the password has been sent to - if people have forgotten their own email address then surely they can just sign in under a new name?

Dudley
Title: Re: Security um... thingie...
Post by: Tex Hex on 21 August, 2003, 08:18:47 PM
In that case, to avoid any subterfuge, my address is spacetimemapmaker@hotmail.com.

Title: Re: Security um... thingie......
Post by: Dudley on 21 August, 2003, 08:22:13 PM
Mine's a work one which is why I try to be a bit more circumspect.
Title: Re: Security um... thingie.........
Post by: Generally Contrary on 21 August, 2003, 08:33:14 PM
You know, Dudley, on a less innocent site, you might have just triggered a rush of password enquiries by curious boarders, eager to discover your real name and employer, facts you like to keep 'circumspect'.  I would post my e-mail willingly, if it weren't for spamtrawlers.
Title: Re: Security um... thingie...
Post by: Art on 21 August, 2003, 08:35:58 PM
Cor, thats handy if you want to figure out all Scojos fake email addresses.
Title: Re: Security um... thingie......
Post by: Dudley on 21 August, 2003, 08:50:28 PM
Confession: I work for a direct mail database company.  They supply email addresses - not spam, though the distinction is fine.  As such, people tend to think of me AS a spamtrawler!  The job makes me sensitive to how your email can get taken over by real junkmailers, the American ones - and after one nasty experience on a literature site, I'm scared of flamers as well.
Title: Re: Security um... thingie.........
Post by: Wake on 21 August, 2003, 09:10:12 PM
I'm afraid you've right. I noticed that a couple of months ago and haven't got around to plugging yet.

Wake
Title: Re: Security um... thingie.........
Post by: Generally Contrary on 21 August, 2003, 09:18:57 PM
No flamers here.  To be honest, as my experience of internet 'communities' is limited to here and the Scriptdroids yahoo group I don't have a full understanding of what a 'flamer' is.

Which just goes to show how fair and good (most) 2000AD fans are.  An excellent force in shaping young minds, I believe.
Title: Re: Security um... thingie...........
Post by: Wake on 21 August, 2003, 09:46:15 PM
I've just had a go at plugging the security hole. I'd appreciate it being checked though.

One of the reasons I hadn't done it before was that if you do try and use this to find out about other people, they will unexpectedly receive emails with their password.

The reason I had it there is the first place was because people often seem to register with invalid or misspelt email addresses.

Cheers,

Wake
Text only | Text with Images