Wait, what? o_O

If you recall, I was the one who started testing it and explicitly said that I was looking for an injection vulnerability. Then you joined me. I'm not sure who found it first, it could very well have been you, I wasn't exactly keeping tabs since I was focusing on testing, but it isn't surprising at all that we both found the same thing after specifically looking for it in the same place.

As to revealing it, I personally firmly believe that in cases like this it's better to demonstrate an issue rather than quietly report it. This way the users are warned at least. You and I found it in 10 minutes and don't know if someone is already using it. We owe it to the rest of the user base to immediately sound the alarm. If GOG fixes it soon — great. If not, at least the people will know what not to do.
I didn't make any support tickets. Instead I personally described the issues I found to your staff members. In fact you could say I annoyed some of them to the point where they stopped answering.

And it's not like the reported issues are getting immediately worked on. We all know that the forms are broken in so many ways that users have created entire software sweets to mitigate that. Or are you saying that this is only because nobody bothered with creating a proper ticket?

Either way, I'll be happy to repeat my findings and recommendations for fixes to an actual engineer working on this. Typing up a ticket that goes to disappear into the void doesn't seem like a great idea though.

You have engineers?

I had no clue GOG even owned any trains.

TinyE, you're like a guy making jokes while the ship is on fire XD

You flew from US to Poland and personally caught some GOG employee and explained the issue to them? Somehow I doubt that. If you mean personally as "here on GOG forums", you can still point at the posts and how you were ignored, then your reply and the way you decided to address it have some merit. You can still retain few internet points for not doing anything malicious with your discovery, but seriously... "there are proper channels but I won't use them because I know I'd be ignored even when I didn't try" seems prety hollow.

I doubt any engineer worth such title will have problem diagnosing what you did and need your help to fix it, it's only couple of minutes with dev tools to see how it works. Clever exploit, but there is such a thing as responsible disclosure too.

I'd agree with you if not for the slim amount of users on this place. Maybe somewhere where there's thousands or even hundreds of people, sure. But here, where there's maybe 60 of us posting on a good day? You probably tipped off more people than you're protecting. Add to that the fact that it's probably a minority of users who'll even see this thread or be made aware of the problem. Now those with malicious intent who didn't know about it will have the opportunity to take advantage of it, while the majority of people will just go on replying without knowing this was even happening.

I get where you're coming from, but given the circumstances, it was honestly a bad idea. The best you've done is force the staff's hand, and even at that they're STILL likely to be slow in fixing it, given their track record.
Would it've hurt you to go ahead and send one anyways on top of the personal description? I can't see any logical reason why you didn't do it. That should've been your main avenue, with going to the staff in PM or whatever as your "just in case" plan if the ticket was ignored (especially given the fact that both forum replies and PM notifications are currently broken or at least bugged).

Yea, I flew to Poland... Come on! Yes, obviously it was done via chat. And obviously the chat logs are still there.

As to the exploit, this one is trivial and I'm sure any junior dev who read a few tutorials could fix it. Other issues, though, like the ability to delete posts and threads are still there a year later. So yea, I don't have much faith, sorry. :/

Also one of the reasons for my disturbing lack of faith is the 91 "fix".

Thank you, on behalf of all the exposed bad people.

Are you the person working on this? Do you have the time for a few more fixes? Admittedly none of them compromise users' wallets, but it would be ever so nice to take care of them.

Oh shit, there he goes with his delete post and thread crap again.

Me and my gaggle of forum terrorists. :P

Yesterday I had to ask someone in the Q4 thread how to convert a txt file and this genius thinks I'm capable of making a script and taking over the forum. :P

I still don't really understand what this thread is about :D I mean, I know there is some kind of "security risk" and... bad things can happen if you reply to a post that... has things. And codes. And possibly spikes at the bottom.

Especially since fixing the thread/post delete exploit is even more trivial than fixing code injections... Just change one line of code.

But that would mean they'd have to fix their spam detection and not rely on forum users doing it for them.

Do you guys have any info on whether this bug was used for malicious purposes?
And I sincerely believe that you guys and girls should focus a bit on making your current products and services bug-free and smooth before rushing to diversify. I know my voice would not carry much importance, but I honestly feel that trust and communication would help GOG grow in a sustainable manner.
Thanks for ironing out this bug quickly.

Much appreciated. While you're at fixing things, could you take a look at this (check next couple of related posts too)? This was definitely not happening earlier.

Seems unlikely, as they'd probably need some tool that goes through every post on the forum and looks for the problem. The odds of such a tool existing seem nil, and the odds of creating such a tool just to check seem even slimmer.

Thanks!

Well, the posts are stored in a backend database you know, so it's not that impossible to do a quick check on things... but I doubt GOG will do even that.