TribalWars Forum: tribalwars security issue. (your villagers miss you email_id for show)

TribalWars Forum Community Forum for the game Tribalwars

tribalwars security issue. (your villagers miss you email_id for show) Feb 18th 2013, 04:50 have been talking about this for a year, finally wrote it :D http://www.s0ber.com/tribalwars-security-fail/ tribal wars users accounts are vulnerable to brute force via link designed for convenience. i received a "your villagers miss you email from an old account, that contains the link http://uk6.tribalwars.co.uk/login.ph...ssword=(hashed password stripped for my convenience)&email_id=21c5b3468a clicking this link logs you directly into your account. one would assume the email_id keeps this link secure, but it turns out to be just for show. to the chagrin of everyone in the security field, i use the same password for my tw alts, and decided to do some testing. http://en67.tribalwars.net/login.php?user=An Aroused Koala&password=(hashed password removed) AND http://en67.tribalwars.net/login.php?user=An Aroused Koala&password=(hashed password removed)&email_id=21c5b3468a BOTH log me in when account is logged out, from a fresh browser with no cookies. why is this bad? http://gizmodo.com/5954372/the-25-mo...swords-of-2012 hashed (or any password dictionary) + http://en67.tribalwars.net/map/player.txt a textfile of all users makes it quite easy to script a brute force of a world.

You are receiving this email because you subscribed to this feed at blogtrottr.com. If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions