Yeah, better to be safe than sorry though.

"amico caro, te lo dico io.. tu fatti nu poco li cazzi tua e non rompere i coglioni"

( lol don't get mad goggers, it's just a quote from his avatar.. an italian senator.. really -_- )

The code injection on the Cities: Skylines wishlist entry does, indeed, currently not do anything remotely malicious (just annoying), it displays a dialogue box with the digit "1" for every link in the page (so, a bunch of boxes). Still though, it does prove that one could, theoretically, use the method to inject truly malicious code.

The data in userData.json is used by the site front-end to -- among other things -- populate the notifications area (get the numbers of friend requests, new chat messages, forum replies, and updates), get the active currency and language, and know which currencies are valid for the current country.

Thanks for the info, I didn't really look into it much... just looked at the code real quick. xD

I did. Now tell me, do you really like turtles?

Sure I do. As long that they are trained in the use of nunchucks. Statistics show it's unwise to dislike anything that nunchucks.

Has this glaring security hole been fixed yet? I'm still afraid to use the wishlist

I haven't used the wishlist, friends stuff, my wishlist, or Galaxy since this started.

only thing I've used is chat.

hmm, tried it out. Still opening windows with "1" displayed. nothing crashed with firefox.
But I'm not sure this could be used to hijack account info, since to change the password one has to enter it first even when already logged in.
So even if they get the session cookie, noone should be able to get one's account (by changing password) nor buy anything (at least with paypal you need to enter that password first, don't know how it is with credit card).
Still, would be nice if gog fixed this bug.

Does anyone know anything about whether it has been fixed yet?
Also, is it possible to do the same thing in the forums? (Edit: just tested, doesn't seem to be possible)

I took one for the team. It's still there.

I sent a support request telling them about this a week ago and I still haven't gotten a reply. Has this been fixed yet? I'm STILL afraid to use the wishlist feature on this site.

So,

GOG have a significant number of people complaining that their account is being hacked.
GOG claim that there is no security hole and it is user error for giving away their passwords
GOG have an XSS vulnerability on their site that would allow nasty people (with a bit of effort) to steal user's passwords, which they have left unfixed for the almost exact period over which accounts have been hijacked.

Did I miss something?

I sent a ticket the same day this was reported. Got a reply two days ago. Supposedly the devs are looking into it.

Apparently so are some Russians.