View Single Post
Captain
Join Date: Jun 2012
Posts: 769
# 45
12-11-2012, 10:39 PM
Quote:
Originally Posted by chivalrybean View Post
Hmm ... yes, editing the character@user in the URL will show you someone else's things. I don't care if you see mine, but unless that is intentional, it is bad design. Not so bad here, but Citibank did it with CC numbers ... just change it in the URL and bam, access to someone else's account.

This will be a critical failure if this allows access to doffs and banks and mail ...

Security first, then you wont have to patch huge holes later, instead you will start with a solid wall.
You'll also note that if viewing one of your own characters, it says 'Welcome back <name>', whereas if you're looking at someone else's character, it says 'Personnel file for <name>', so Gateway knows that you're not looking at your own characters.

I'm quite happy we can see other people's characters, if I can't share links to my profile, or look at others, I would find it kind of pointless. I wouldn't mind if we could see skills and stuff too, like WoW's Armory, where you can see talents, and if you are the owner of the character, you have greater access, like handling auctions.
Ainu - Join Date: Aug 2008
Foundry Missions: 1) The Source of Power (ST-HSWUBD5TQ) [Federation] 16+
-----=====*****<[ Fleet Recruitment Thread ]>*****=====-----