STO Gateway is Now Available
View Single Post
Join Date: Jun 2012
12-11-2012, 07:34 PM
Originally Posted by
Hmm ... yes, editing the character@user in the URL will show you someone else's things. I don't care if you see mine, but unless that is intentional, it is bad design. Not so bad here, but Citibank did it with CC numbers ... just change it in the URL and bam, access to someone else's account.
This will be a critical failure if this allows access to doffs and banks and mail ...
Security first, then you wont have to patch huge holes later, instead you will start with a solid wall.
Being able to view other player's characters and BOFFs is akin to the original Captain's database -- please note that although you can see your Energy Credit and Dilithium totals, others can not while looking at your character.