Possible security issue with download link
-
- Posts: 7
- Joined: Thu Aug 05, 2010 1:19 pm
Possible security issue with download link
Hi guys,
I looked at the download link that is posted on the alpha 90 topic and saw it was...
http://www.wolfire.com/spf-download/a90-win.exe
However, that link made me enter my alpha key, which I did. Then the file started downloading. I tried to run the file, but it turned out the file didn't download fully and started with an error.
So I check the download link and it was...
http://static.wolfire.com/alpha/a90-win ... 1281113688
I re-ran the link to try and download the file, but it came up with an error saying the file expired. As a web developer, I looked at the query string and it looked like the file could be downloaded with it deleted, so I then used...
http://static.wolfire.com/alpha/a90-win.exe
And was able to download the file. I then ran another browser that had no session data with wolfire.com and tried to download the link with the file above and was still able to download the file.
This means someone could leak this link online and people could then download your alphas (assume your next one will be a91-win.exe). Now I know someone could easily put the file up as a torrent or megaupload/mediafire/rapidshare or even on their own personal server, but I thought you guys would like to know about this vulnerability I found.
I looked at the download link that is posted on the alpha 90 topic and saw it was...
http://www.wolfire.com/spf-download/a90-win.exe
However, that link made me enter my alpha key, which I did. Then the file started downloading. I tried to run the file, but it turned out the file didn't download fully and started with an error.
So I check the download link and it was...
http://static.wolfire.com/alpha/a90-win ... 1281113688
I re-ran the link to try and download the file, but it came up with an error saying the file expired. As a web developer, I looked at the query string and it looked like the file could be downloaded with it deleted, so I then used...
http://static.wolfire.com/alpha/a90-win.exe
And was able to download the file. I then ran another browser that had no session data with wolfire.com and tried to download the link with the file above and was still able to download the file.
This means someone could leak this link online and people could then download your alphas (assume your next one will be a91-win.exe). Now I know someone could easily put the file up as a torrent or megaupload/mediafire/rapidshare or even on their own personal server, but I thought you guys would like to know about this vulnerability I found.
-
- Posts: 157
- Joined: Sat Oct 31, 2009 6:27 pm
Re: Possible security issue with download link
I see.....
Yes.
Yes.
Re: Possible security issue with download link
You still have to enter your key into the file to activate it though, right?
-
- Posts: 7
- Joined: Thu Aug 05, 2010 1:19 pm
Re: Possible security issue with download link
Not from what I saw. I was able to download, run and install the game without entering my alpha key.Sandurz wrote:You still have to enter your key into the file to activate it though, right?
Re: Possible security issue with download link
Removing the link with your key in it would be a great idea then, wouldn't it?
Not because the people here in the SPF would need it to share the game, but still.
Not because the people here in the SPF would need it to share the game, but still.
Re: Possible security issue with download link
Same thing happens to me.
-
- Posts: 2937
- Joined: Tue Sep 25, 2007 11:15 pm
- Location: Galapagos Islands, rodeoin some turtles.
- Contact:
Re: Possible security issue with download link
Hooray for Jeff, and Wolfire in general.
Re: Possible security issue with download link
and the internet ... ( and jaffacakes )
-
- Posts: 2937
- Joined: Tue Sep 25, 2007 11:15 pm
- Location: Galapagos Islands, rodeoin some turtles.
- Contact:
Re: Possible security issue with download link
and brettalton!
-
- Posts: 17
- Joined: Mon Jul 05, 2010 2:45 pm
Re: Possible security issue with download link
and now I can finally pause/resume the 5** Mb download!!