Back to Today's Deal

Login Authentification Unsafe


#1

When you log in to site and type in in-correct password, login details are sent un-safe through URL parameters.

… www.chrono.gg/?username=XXXXXXXX&password=XXXXXXXX&g-recaptcha-response= …


#2

@svegurok
I checked both the forum and the main site, but they are both passing that data in the body and not the query string. Where are you logging in to see this behavior?

Thanks.


#3

Hey ya’ll, this is a bug that we first became aware of late last night and fixed up early this morning. The login modal was being dismissed, on some browsers/OSes, and the modal state was ending up as query parameters.

Because everything is sent over HTTPS, including the query parameters, all network requests were safe and sound. I’ve also deleted the last 30 days worth of access logs – so there is no possibility of plaintext credentials ever being leaked.

This little bit of code had been deployed for a couple days, we’ve identified the how/why, and will work to improve our testing process so it doesn’t happen again in the future.

<3


#4

This is why I love this community lmao


#5

We are far from perfect. But we try harder.:dizzy: