Sign me up Login
Fairyabc discussion Board Return home

Teresa's space https://www.fairyabc.com/?6264 [Favorites] [Copy] [Share] [RSS]

Blog

Public UIDs and Fabc's Awful Security

Hot 10Viewed 202 times2018-8-25 02:47

A recent conversation reminded me about something that's been bothering me for a while; I decided I'd write about it here, since I have nothing better to do with my life atm, apparently. ;)

When I first started posting here, people told me to engage more with the community, so when I used a little trick in-game, I figured I'd post a mini 'tutorial' about it. At the time, I didn't realize how public and important UIDs were in fabc community. I actually thought that it was an accident that the ID was shown in users' space URLs, due to the horrendous URL generation instead of the usage of routes (but that's another issue). This leads me to the one of the biggest issues with fabc's security. 

Having UIDs public -- easily visible to everyone -- allows malicious users to spoof identities, and impersonate anyone they please. Making UIDs private and hashed, and having the session validated -- allowing only those with sufficient database permissions to query them, solves this problem, keeping attackers from accessing or intercepting them to change them. 

Of course, this won't 100% solve all problems. There are other issues which can allow attacks through the cracks. That is why it is imperative for the forum pages to be secured with SSL, ASAP. Not having the login information encrypted is irresponsible. This is a tiny site, so it may never end up an issue, but you can not be too safe. I'll say it again, please make sure that your password is not at all related to anything you use anywhere else. As it stands, your info can be easily intercepted, and honestly, the more I find out about the security on this site, the more I worry about how passwords are stored.

Another thing is that apparently this site is not version controlled. That is truly terrifying. 

i don't care

eggs

flowers
10

agree

funny

Friends Rank (10 people)

Allother author's recent blogs

Leave a comment Comments (8 Comment)

Reply ♥foxheart♥ 2018-8-26 17:17
The FairyABC staff should know about this! Have you tried contacting them about it?
Reply Teresa 2018-8-26 18:19
♥foxheart♥: The FairyABC staff should know about this! Have you tried contacting them about it?
I’ve talked about security issues sveral times, sometimes in forum, sometimes directly to Su. Su has taken a couple things into consideration, but generally they don’t like to hear it.
Reply Lavender-Marie 2018-8-27 23:38
All excellent points! Unfortunately, the administration here doesn't take very kindly to criticism. I like the way you think :)
Reply ♥foxheart♥ 2018-8-29 19:52
Lavender-Marie: All excellent points! Unfortunately, the administration here doesn't take very kindly to criticism. I like the way you think :)
Even if it's constructive criticism?
Reply Twili~ 2018-8-29 22:27
♥foxheart♥: Even if it's constructive criticism?
especially if it's constructive criticism unfortunately :(
Reply ♥foxheart♥ 2018-8-29 22:30
Twili~: especially if it's constructive criticism unfortunately :(
That's a shame... Constructive criticism can be really helpful!
Reply Jeocalix-Inminf 2018-9-14 22:09
You has reason
Reply RaeCollins 2018-9-25 19:26
These are excellent points.

facelist doodle Doodle

You have to be logged to leave a comment Login | Sign me up

banned|mobile|Archiver|Developer Email|Account frozen|Privacy Policy|Fairyabc

GMT-4, 2019-6-20 01:04

Fairyabc © 2016-2017 Powered by Discuz!

To Top