Welcome, Guest. Please Login or Register.
Oct 29th, 2020, 12:14pm

Home Home Help Help Search Search Members Members Login Login Register Register
Arimaa Forum Security vulnerabilities


   Arimaa Forum
   Arimaa
   Site Discussion
(Moderator: supersamu)
   Security vulnerabilities
« Previous topic | Next topic »
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print
   Author  Topic: Security vulnerabilities  (Read 328 times)
Orb
Forum Newbie
*



Arimaa player #11650

   


Gender: male
Posts: 1
Security vulnerabilities
« on: Oct 17th, 2019, 4:53pm »
Quote Quote Modify Modify

Hi,
This site has two major security vulnerabilities relating two its password system, and until these issues are resolved, every password on this site is at risk of being compromised.
The first vulnerability is that the connection is not encrypted. This allows agents involved in transferring data to and from arimaa.com to intercept all communications in an unencrypted form, which can easily be used for malicious ends.
The second vulnerability is that all passwords are stored in plaintext. This allows the site to send your password to you via email, but it also means that if an attacker gains access to the password database (which, given the security features on this site, would probably be quite easy), they will gain access to every user's password, exactly as-is. This password, for many users, will match their passwords on many other sites and services, potentially granting an attacker access to sensitive information (such as credit card numbers).
The site should, as soon as possible, obtain an encryption certificate (available for free from Let's Encrypt) and begin salting and hashing every user's password. However, this site seems to be almost un-maintained, so I would advise any user to change their password to one that does not resemble a password they use anywhere else. (This is already advisable for any site, but if your arimaa.com password is the same as your bank account number, that is a huge risk.)
If you do not believe me about this, you can find further reading about encryption here or here, and further reading about hashing here or here.
IP Logged
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print

« Previous topic | Next topic »

Arimaa Forum » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB 2000-2003. All Rights Reserved.