|
||
|
Title: Security vulnerabilities Post by Orb on Oct 17th, 2019, 4:53pm Hi, This site has two major security vulnerabilities relating two its password system, and until these issues are resolved, every password on this site is at risk of being compromised. The first vulnerability is that the connection is not encrypted. This allows agents involved in transferring data to and from arimaa.com to intercept all communications in an unencrypted form, which can easily be used for malicious ends. The second vulnerability is that all passwords are stored in plaintext. This allows the site to send your password to you via email, but it also means that if an attacker gains access to the password database (which, given the security features on this site, would probably be quite easy), they will gain access to every user's password, exactly as-is. This password, for many users, will match their passwords on many other sites and services, potentially granting an attacker access to sensitive information (such as credit card numbers). The site should, as soon as possible, obtain an encryption certificate (available for free from Let's Encrypt) and begin salting and hashing every user's password. However, this site seems to be almost un-maintained, so I would advise any user to change their password to one that does not resemble a password they use anywhere else. (This is already advisable for any site, but if your arimaa.com password is the same as your bank account number, that is a huge risk.) If you do not believe me about this, you can find further reading about encryption here (https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https) or here (https://https.cio.gov/everything/), and further reading about hashing here (https://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/) or here (https://www.wired.com/2016/06/hacker-lexicon-password-hashing/). |
||
|
Arimaa Forum » Powered by YaBB 1 Gold - SP 1.3.1! YaBB © 2000-2003. All Rights Reserved. |