STO Gateway is Now Available
View Single Post
Join Date: Jul 2012
12-11-2012, 07:26 PM
Hmm ... yes, editing the character@user in the URL will show you someone else's things. I don't care if you see mine, but unless that is intentional, it is bad design. Not so bad here, but Citibank did it with CC numbers ... just change it in the URL and bam, access to someone else's account.
This will be a critical failure if this allows access to doffs and banks and mail ...
Security first, then you wont have to patch huge holes later, instead you will start with a solid wall.