Rozenman: Сan you be safe if you use Galaxy only?

Avogadro6: Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!

jpilot: Probably not. The Galaxy client seems to use an embedded webbrowser to display most of its content, so the same things apply here.
jpilot: No, it is not fine. This is a serious issue and it should be fixed as soon as possible and people should be aware of it to at least be able to roughly understand what could happen.

Avogadro6: Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!

jpilot: Just to explain a little bit: The thing is, once you are able to insert arbitrary JavaScript code into a website (which obviously is the case here), you can execute that code with the permissions the user's webbrowser grants the scripts on that page (the browser simply cannot distinguish that malicious code from normal code used by the website), which means, the script has access to all data available to to it immediately through the global JavaScript context, as well as through any AJAX script or any website URL on that same host. So the script could possibly (and this is very likely as there does not seem to be a validation of that change through a confirmation email) even change your own password without you knowing it.

Avogadro6: Nobody gets the reference. :( But yeah, this isn't the first time users find an exploitable vulnerability the staff was not aware of. Last time it took several hours to fix, but then again it was the middle of the night, so hopefully today they'll be faster. Until then, it's probably better if this thread gets deleted and the whishlist disabled.

tfishell: http://www.gog.com/wishlist/games/cities_skylines

"a","alert(1)"] 23 hrs. ago manifest_pw
"></img src=x onerror=alert(1)/>

haydenaurion: OP, please edit your post to remove that link and to warn others about not clicking it so that we don't get anymore that accidentally click it...

haydenaurion: ...

tfishell: Ah sorry, forgot about this thread. :P Done.

tfishell: Ah sorry, forgot about this thread. :P Done.

haydenaurion: OP, please edit your post to remove that link and to warn others about not clicking it so that we don't get anymore that accidentally click it: http://www.gog.com/forum/general/i_think_my_account_got_hacked/post33

Thank you.

JDelekto: I can confirm that there is some Javascript injection going on there from the forum itself. You can actually use the Web debugging tool "Fiddler" to see the request/response and then use your developer tools (in my case, F12 in Chrome) to trace through it.

Very clever. :)
BTW, there is a request for userData.json, which is somewhat revealing.