Possible security issue with download link

brettalton · Post by **brettalton** » Fri Aug 06, 2010 11:58 am

Hi guys,

I looked at the download link that is posted on the alpha 90 topic and saw it was...

http://www.wolfire.com/spf-download/a90-win.exe

However, that link made me enter my alpha key, which I did. Then the file started downloading. I tried to run the file, but it turned out the file didn't download fully and started with an error.

So I check the download link and it was...

http://static.wolfire.com/alpha/a90-win ... 1281113688

I re-ran the link to try and download the file, but it came up with an error saying the file expired. As a web developer, I looked at the query string and it looked like the file could be downloaded with it deleted, so I then used...

http://static.wolfire.com/alpha/a90-win.exe

And was able to download the file. I then ran another browser that had no session data with wolfire.com and tried to download the link with the file above and was still able to download the file.

This means someone could leak this link online and people could then download your alphas (assume your next one will be a91-win.exe). Now I know someone could easily put the file up as a torrent or megaupload/mediafire/rapidshare or even on their own personal server, but I thought you guys would like to know about this vulnerability I found.

Precastwig · Post by **Precastwig** » Fri Aug 06, 2010 2:05 pm

I see.....

Yes.

Sandurz · Post by **Sandurz** » Fri Aug 06, 2010 3:25 pm

You still have to enter your key into the file to activate it though, right?

brettalton · Post by **brettalton** » Fri Aug 06, 2010 7:44 pm

Sandurz wrote:You still have to enter your key into the file to activate it though, right?

Not from what I saw. I was able to download, run and install the game without entering my alpha key.

Freshbite · Post by **Freshbite** » Fri Aug 06, 2010 8:42 pm

Removing the link with your key in it would be a great idea then, wouldn't it?
Not because the people here in the SPF would need it to share the game, but still.

Endoperez · Post by **Endoperez** » Sat Aug 07, 2010 8:10 am

Same thing happens to me.

Post by **Jeff** » Sat Aug 07, 2010 11:56 am

fixed

Count Roland · Post by **Count Roland** » Sun Aug 08, 2010 3:06 am

Hooray for Jeff, and Wolfire in general.

Ebrahim · Post by **Ebrahim** » Sun Aug 08, 2010 5:02 am

and the internet ... ( and jaffacakes )

Count Roland · Post by **Count Roland** » Sun Aug 08, 2010 9:35 pm

and brettalton!

OneEyedOdin · Post by **OneEyedOdin** » Tue Aug 10, 2010 8:44 am

and now I can finally pause/resume the 5** Mb download!!

Wolfire Games Forums

Possible security issue with download link

Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link

Re: Possible security issue with download link