[website] possible security violation??

[Technomage]

this comes under the heading of "requested change of password by parties unknown".

approximately 13 hours ago (0518 Arizona time) someone requested a change of password
on my account in the game. Since I did not request this, I am posting here per the advice of
underthemoon and XilliX.

2 questions:
1. has this happened to anyone else (could be someone harvesting e-mails using a script)
2. what additional security will be needed to prevent this?

as for point one, this seems a little off the beaten path, but then, e-mail address are MONEY
to the right people.

as for point 2, I have already changed my password in accordance with both the policy of the site and my own
(in order to prevent any unauthorized entry).

so? am I the only one to notice?

I request that the maintainers look at the logs to see who requested this change please.

thanks

[Sen]

Hello

As far as I remember does the forgot password function send an email to you and then you can change the password using an in the email mentioned one time link. So, even if someone else starts this process for you it's not that much of a use for him since just you will get this email with that link...
I understand correctly that your password was not changed by someone else, right?

Much more interesting is the possibility to send planeshift people emails with a cross site scripting in it (assuming there is one on the webpage). This way they might be able to fake the password change process. In case you enter your valid password again they'd know it, for example.
Even better would be a SQL-Injection where you can alter or get some information on the account/game database
Unfortunately do I not know of either vulnerability though the forum mentions some sql error for the applying-function......

But, in general, if I remember the process right there's not much you can do since, as said, even entering valid email-addresses doesn't help an attacker much since he doesn't get the password-change-link.

Sen

[Strownox]

Here's what I think :

4 cases :

1) Either someone knows your mail address and sent a password change request

• Guy was already knowing your mail
• If you are sufficiently briefed about your security, this guy can't open your mailbox

2) Someone is spamming the website with random mails, trying to learn real ones

• More spammers knows your mail (that's not so big deal)
• It's a security breach on the website, but they can view if there is a zillion of password request
• I'm pretty sure nobody would spend that much power on the PS site, not enough people for them

3) This is a fishing mail (don't redirect on the right page)

• Definitely dangerous (for your PS account, no more)
• But you can make sure if it's a real or fake mail

4) Some guy made a typo writing his own mail and wrote yourself

• No big deal at all

Cases 2 and 3 are the most dangerous and the less probable.

[Parallo]

Here's what I think:

They can do nothing without access to your email address which means already knowing the password for that which means this person is going to awful lengths to obtain a free account for an online game without revealing his true identity, from which we can conclude he has a secret identity which obviously means that it is superman.

[Pizik]

Someone knew his email, entered it in the password recovery box thinking that the password would be displayed on the website, -obviously- it wasn't. The mail was sent to his email address so only he saw it. The system works.