View Single Post
Lt. Commander
Join Date: Jul 2012
Posts: 154
# 41
12-11-2012, 07:26 PM
Hmm ... yes, editing the character@user in the URL will show you someone else's things. I don't care if you see mine, but unless that is intentional, it is bad design. Not so bad here, but Citibank did it with CC numbers ... just change it in the URL and bam, access to someone else's account.

This will be a critical failure if this allows access to doffs and banks and mail ...

Security first, then you wont have to patch huge holes later, instead you will start with a solid wall.