MAJOR Security flaw in HTML 5 Publishing links!

beefy_clyrobeefy_clyro Member Posts: 5,394
edited November -1 in Working with GS (Mac)
Hi Everyone

Seen this a few times now so thought i'd create a thread to hopefully stop you doing this.

When you publish to HTML 5 and then copy the link to the forum, make sure your link is like this only;

http://gamesalad.com/game/55555

If you post a link similar to this;

http://gamesalad.com/game/55555?GSCVersion=0.9.71&tokenUsername=YOURUSERNAME&token=c01a82e6d0d316b85f308cf4ac001b70615f91a490620cce012a4dada06be67a

Where 'YOURUSERNAME' is actually your real GS username, if people click that full link they login as you under your account. This means they have access to EVERYTHING!!! Be Warned and be very CAREFUL, i have emailed support@gamesalad.com and bugs@gamesalad.com so hopefully they will sort this immediately.

Note - The example links i have provided have been edited so they will not lead to any games, didn't want to post close to anyones real links!

Comments

  • PhoticsPhotics Member Posts: 4,172
    Wow, nice catch!
  • PhoticsPhotics Member Posts: 4,172
    RKS said:
    I caught this :(

    OK, good looking out! :)
  • beefy_clyrobeefy_clyro Member Posts: 5,394
    RKS .. Its not a competition. Ha. I caught this a while a go but nearly all arcade games i saw never had the rest to the links, just tonight alone i've seen 2, thus i felt the need to warn users.

    So i can't really prove whether you or I found it first, nor do i care to be honest, just giving everyone a heads up.
  • beefy_clyrobeefy_clyro Member Posts: 5,394
    RKS said:
    @phonics I caught this :(

    Oh and just so you know, its Photics and not Phonics ... You might want to catch that one ;)
  • tenrdrmertenrdrmer Member, Sous Chef, Senior Sous-Chef Posts: 9,934
    Thanks Beefy, I have forwarded this thread to a few additional Emails just to make sure.

    I personally never liked that first link it gives when you publish So I have always gone and got the short one but I had no idea about it logging you in.
  • boredcomboredcom Member Posts: 10
  • tenrdrmertenrdrmer Member, Sous Chef, Senior Sous-Chef Posts: 9,934
    Just an update I got word back they are looking into it.

    Thanks again.
  • adent42adent42 Key Master, Head Chef, Executive Chef, Member, PRO Posts: 3,292
    This link is meant to let you log in so you can see the game as "you" (as there's no connection between GameSalad Creator and your web browser). It's a temporary token that expires after some time.

    That being said, please don't pass around this "long" link. In the mean time, we'll be putting in some fixes that will make this link safer. (Quicker expiration, forwarding a user to the same page without the token parameters, etc).

    Thanks for the catch! Sometimes when you're developing, you forget how people might slip and give out data that they were not meant to.
  • beefy_clyrobeefy_clyro Member Posts: 5,394
    Excellent, pleased to hear.
Sign In or Register to comment.

© Vanilla Keystone Theme 2025