It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
haydenaurion: OP, please edit your post to remove that link and to warn others about not clicking it so that we don't get anymore that accidentally click it: http://www.gog.com/forum/general/i_think_my_account_got_hacked/post33

Thank you.
avatar
BKGaming: It doesn't look to do anything harmful though really based on the code, other than through up a popup error with the number 1... still doesn't mean you shouldn't be careful though. Has anyone reported this yet?

EDIT:

But this is pretty interesting and could signify something more is going on...

avatar
JDelekto: I can confirm that there is some Javascript injection going on there from the forum itself. You can actually use the Web debugging tool "Fiddler" to see the request/response and then use your developer tools (in my case, F12 in Chrome) to trace through it.

Very clever. :)
BTW, there is a request for userData.json, which is somewhat revealing.
avatar
BKGaming:
Yeah, better to be safe than sorry though.
avatar
Avogadro6: Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!
"amico caro, te lo dico io.. tu fatti nu poco li cazzi tua e non rompere i coglioni"

( lol don't get mad goggers, it's just a quote from his avatar.. an italian senator.. really -_- )
Post edited June 06, 2015 by phaolo
avatar
haydenaurion: OP, please edit your post to remove that link and to warn others about not clicking it so that we don't get anymore that accidentally click it: http://www.gog.com/forum/general/i_think_my_account_got_hacked/post33

Thank you.
avatar
BKGaming: It doesn't look to do anything harmful though really based on the code, other than through up a popup error with the number 1... still doesn't mean you shouldn't be careful though. Has anyone reported this yet?

EDIT:

But this is pretty interesting and could signify something more is going on...

avatar
JDelekto: I can confirm that there is some Javascript injection going on there from the forum itself. You can actually use the Web debugging tool "Fiddler" to see the request/response and then use your developer tools (in my case, F12 in Chrome) to trace through it.

Very clever. :)
BTW, there is a request for userData.json, which is somewhat revealing.
avatar
BKGaming:
The code injection on the Cities: Skylines wishlist entry does, indeed, currently not do anything remotely malicious (just annoying), it displays a dialogue box with the digit "1" for every link in the page (so, a bunch of boxes). Still though, it does prove that one could, theoretically, use the method to inject truly malicious code.

The data in userData.json is used by the site front-end to -- among other things -- populate the notifications area (get the numbers of friend requests, new chat messages, forum replies, and updates), get the active currency and language, and know which currencies are valid for the current country.
Post edited June 06, 2015 by Maighstir
avatar
Maighstir: The code injection on the Cities: Skylines wishlist entry does, indeed, currently not do anything remotely malicious (just annoying), it displays a dialogue box with the digit "1" for every link in the page (so, a bunch of boxes). Still though, it does prove that one could, theoretically, use the method to inject truly malicious code.

The data in userData.json is used by the site front-end to -- among other things -- populate the notifications area (get the numbers of friend requests, new chat messages, forum replies, and updates), get the active currency and language, and know which currencies are valid for the current country.
Thanks for the info, I didn't really look into it much... just looked at the code real quick. xD
Post edited June 06, 2015 by user deleted
avatar
Avogadro6: Nobody gets the reference. :(
I did. Now tell me, do you really like turtles?
avatar
Avogadro6: Nobody gets the reference. :(
avatar
Grargar: I did. Now tell me, do you really like turtles?
Sure I do. As long that they are trained in the use of nunchucks. Statistics show it's unwise to dislike anything that nunchucks.
Has this glaring security hole been fixed yet? I'm still afraid to use the wishlist
I haven't used the wishlist, friends stuff, my wishlist, or Galaxy since this started.

only thing I've used is chat.
Post edited June 09, 2015 by johnnygoging
hmm, tried it out. Still opening windows with "1" displayed. nothing crashed with firefox.
But I'm not sure this could be used to hijack account info, since to change the password one has to enter it first even when already logged in.
So even if they get the session cookie, noone should be able to get one's account (by changing password) nor buy anything (at least with paypal you need to enter that password first, don't know how it is with credit card).
Still, would be nice if gog fixed this bug.
Does anyone know anything about whether it has been fixed yet?
Also, is it possible to do the same thing in the forums? (Edit: just tested, doesn't seem to be possible)
Post edited June 12, 2015 by Lillesort131
avatar
Lillesort131: Does anyone know anything about whether it has been fixed yet?
Also, is it possible to do the same thing in the forums? (Edit: just tested, doesn't seem to be possible)
I took one for the team. It's still there.
I sent a support request telling them about this a week ago and I still haven't gotten a reply. Has this been fixed yet? I'm STILL afraid to use the wishlist feature on this site.
Post edited June 19, 2015 by drone01
So,

GOG have a significant number of people complaining that their account is being hacked.
GOG claim that there is no security hole and it is user error for giving away their passwords
GOG have an XSS vulnerability on their site that would allow nasty people (with a bit of effort) to steal user's passwords, which they have left unfixed for the almost exact period over which accounts have been hijacked.

Did I miss something?
avatar
drone01: I sent a support request telling them about this a week ago and I still haven't gotten a reply. Has this been fixed yet? I'm STILL afraid to use the wishlist feature on this site.
I sent a ticket the same day this was reported. Got a reply two days ago. Supposedly the devs are looking into it.
avatar
drone01: I sent a support request telling them about this a week ago and I still haven't gotten a reply. Has this been fixed yet? I'm STILL afraid to use the wishlist feature on this site.
avatar
Avogadro6: I sent a ticket the same day this was reported. Got a reply two days ago. Supposedly the devs are looking into it.
Apparently so are some Russians.