Posted August 25, 2017
gogtrial34987: It's interesting how you found it minutes after I did and decided to edit out the proof of concept from my post and go report it responsibly. (Which I did, and which was taken seriously.) Then again, the issue is trivial to such a degree that I'd give you even odds all the same of having found it independent of having seen my post.
But either way, not cool exposing this publicly like this without giving GOG time to fix.
Wait, what? o_O But either way, not cool exposing this publicly like this without giving GOG time to fix.
If you recall, I was the one who started testing it and explicitly said that I was looking for an injection vulnerability. Then you joined me. I'm not sure who found it first, it could very well have been you, I wasn't exactly keeping tabs since I was focusing on testing, but it isn't surprising at all that we both found the same thing after specifically looking for it in the same place.
As to revealing it, I personally firmly believe that in cases like this it's better to demonstrate an issue rather than quietly report it. This way the users are warned at least. You and I found it in 10 minutes and don't know if someone is already using it. We owe it to the rest of the user base to immediately sound the alarm. If GOG fixes it soon — great. If not, at least the people will know what not to do.
Firek: I did my best to find a related ticket written by you on this subject, but found none.
I also tried to look for tickets made by other accounts, using some relevant keywords, but the only result I got was a report about this thread itself.
Please let me know how you attempted to report this issue to us, so that we can see if, and where, it might have fallen through some crack.
I didn't make any support tickets. Instead I personally described the issues I found to your staff members. In fact you could say I annoyed some of them to the point where they stopped answering. I also tried to look for tickets made by other accounts, using some relevant keywords, but the only result I got was a report about this thread itself.
Please let me know how you attempted to report this issue to us, so that we can see if, and where, it might have fallen through some crack.
And it's not like the reported issues are getting immediately worked on. We all know that the forms are broken in so many ways that users have created entire software sweets to mitigate that. Or are you saying that this is only because nobody bothered with creating a proper ticket?
Either way, I'll be happy to repeat my findings and recommendations for fixes to an actual engineer working on this. Typing up a ticket that goes to disappear into the void doesn't seem like a great idea though.
Post edited August 25, 2017 by Alaric.us