At the moment it is possible for an attacker to execute any code they desire under your authenticated browser session. This post is a simple demonstration. Click the reply button to see what I'm talking about.

As you can see the Cancel and Post buttons were removed and replaced with identical ones that, which currently just warn you, but could be programmed to just cancel and post, so you wouldn't even know that something is wrong. In the meantime just the act of clicking the reply button is enough to execute code.

TL:DR - DO NOT REPLY TO ANY POSTS UNTIL THIS IS FIXED!

UPD: Looks fixed now! It's probably safe to reply once again!

Have you reported the issue to GOG staff?

Not a PSA!


Oh, I thought he said pizza.

That's odd, I could swear they filtered out/escaped HTML and javascript in the past...

Could this also be done with the quick reply option added by Barefoot Essentials or is that safe?

Other than that, good to know. Let's hope no one abuses it until it's fixed. Which, I'm sure, will be Soon™.

@WinterSnowfall:

The forum is supposed to escape any harmful HTML and JavaScript, but, of course, computer programs have bugs.

You know, as long as you trust the person that's posting, there shouldn't be any issues with replying. Only the owner of a post can add nasty content ;).

I guess the general IRL rule of "don't reply to strangers" now applies to the GOG forums as well.

> Only the owner of a post can add nasty content ;)

That is questionable. I don't see anything that would prevent a compromised user from auto-posting and compromising more users.

Browser hijacking is not as easy as it sounds, but I guess you're right... an ill intentioned party could write a replicating payload. Let's not all get panicky now though, modern browsers are pretty sandboxed these days, so I doubt a potential attack would have very much potency.

Try not to log onto other sites in parallel when accessing the forums with the intent to reply though... at least not until this issue is fixed.

Ah, a fellow replier!

I have had worse. Remember the (probably hoax) call to supermarket stating no topping on pizza:
http://www.dailymail.co.uk/news/article-1179755/Shopper-complains-pizza-topping--realising-upside-down.html

> modern browsers are pretty sandboxed these days

Very true. However, they are also very ubiquitous and we use them in a lot of aspects of our lives.

Without trying to come up with REALLY scary scenarios, let me give you an example:

GOG uses the same authentication cookie (which, by the way, never expires - AHAHA!) for both the forums and the rest of the site. This means that hijacking an authenticated session means an attacker will have full access to your GOG account. If you have money in your wallet, they can buy themselves a game or two. They can contact support and ask to have games removed. They can post on the forums and so on.

I honestly recommend avoiding that reply button for the time being.

No, apparently he thought that pointing the security issue to the whole world makes way more sense :D

The OP once claimed that I was a severe threat and claimed that I had ordered a group of people to intentionally spam delete any post I disagreed with, via a script, in an attempt to take over the forum.

Ever since then I've learned not to take his warnings very seriously. :P