HUGE link bug!

Guest · Post by **Guest** » 19.02.2007, 01:17

I found a very huge link bug in the game..
I friend told me about the game and since i started we have been sending links, like from market and stuff.
just now i saw a thing, everytime a press his link he send me, I got loged in to his account.!!!
And can change ALL his stuff if i want to!

i have tried now some times to press his links he send me and it always work and i get loged in to his account.. ! Think you should do something about this!

Hmm.. Where can i find my user ID anyway?

Guest · Post by **Guest** » 19.02.2007, 08:25

you can find your own user id for example in the office -> profile -> Advertiser link http://www.kapilands.com/main.php4?werber=xxx

Other way would be: warehouse -> showcase -> and there are three links, in every link you can find the term >user=xxx<

Other way:
help -> FAQ -> first line

Guest · Post by **Guest** » 19.02.2007, 09:04

he knows every way

i think he been geting in your acount

jj

Tycoon · Post by **Tycoon** » 19.02.2007, 09:51

Please keep in mind: The Kapi Team will never ask for your password! If you should get such a message please inform instantly one of the forum moderators! A once deleted or in an other way destroyed account can not be recovered!
Please also don't paste any URL from your account as anyone could log in your account if he knows those exact links.

If you go into the office, click on a message you received, you will see this text... it is mentioned there, that you should not give the URL from your account... so this is no bug

Guest · Post by **Guest** » 19.02.2007, 11:05

But it's a security risk. It would work better if the UID would be saved in a cookie instead of in the URL.

Guest · Post by **Guest** » 19.02.2007, 15:31

Morgil is right. Just because the developers know about an issue and decide to tell people "don't do that..." doesn't mean that it's not a risk.

Especially since there is actual money involved for those players that choose to purchase coins for various reasons, glaring security risks like this should be addressed.

Guest · Post by **Guest** » 21.02.2007, 15:29

That's not a bug... The point is that we want that users can also login with very restricted browser privacy settings (when they are at work for example). So you don't need cookies enabled to login and if you don't have them enabled the exact link is all someone need to get into your account.
But if a user logs in with cookies enabled there is also a cookie security check.
Anyhow it is always risky to post a exact url but I think there should be enough warnings about it...

Regards,
Aru

Guest · Post by **Guest** » 21.02.2007, 16:12

yes you should put some frame tags and the GET function will work almost the same and instead of having a lot of stuff in the title you could have just kapilands.com
in fact i am working on that because i can do php mysql and html, and i know it is possible so i soon as i remember how to do it i publish here the way to do it=)

Guest · Post by **Guest** » 23.04.2007, 02:55

Aru wrote:That's not a bug... Anyhow it is always risky to post a exact url but I think there should be enough warnings about it...

Regards,
Aru

With the recent account hijackings that we've seen, due directly to the fact that our password information is so readily available to users to inadvertently copy to others, perhaps we need to revisit this notion that it's not really a big deal.