IP addresses revealed in comments

frtoaster
frtoaster Posts: 2,566 Arc User
in Vanilla Forum Migration Bug Reports
If I view the forums while not logged in, I can see the IP addresses of other posters. The IP address in shown in every post except the one that started the thread. I tested this in both Firefox and IE. The browser makes no difference. It also makes no difference whether I view the forums on www.arcgames.com/en/forums or perfectworld.vanillaforums.com.

Comments

  • opkossy
    opkossy Posts: 11,177 Community Moderator
    .... Confirming this. Occurs in all posts except starting post in all topics regardless of browser or domain used. In addition, this is not a matter of add-ons/plugins as I checked with a computer that had none of them enabled.

    Major security issue you guys have right here.
    (Insert fancy image here)
    image
  • krittycat
    krittycat Posts: 4,187 Community Moderator
    For future reference, serious security issues like this should probably be handled privately, so as to not promote the exploitation of the security flaw.

    All the same, the issue exists in Chrome as well, so it's definitely a Vanilla setup issue.
    krittycat.gif
    BLR Forum Moderator
    Get the Forums Enhancement Extension!
  • frtoaster
    frtoaster Posts: 2,566 Arc User
    krittycat wrote: »
    For future reference, serious security issues like this should probably be handled privately, so as to not promote the exploitation of the security flaw.

    All the same, the issue exists in Chrome as well, so it's definitely a Vanilla setup issue.

    I don't see how not posting about it would reduce the risk in this case. It's visible to anyone viewing the forums while not logged in, including people who don't even have an account. I'm pretty sure search engines are crawling these pages as we speak and indexing them with the IP addresses included.

    Btw, I can't tell that you're a moderator when I'm logged in, because I have signatures disabled. You guys really need to work on another way to indicate that.
  • opkossy
    opkossy Posts: 11,177 Community Moderator
    frtoaster wrote: »
    Btw, I can't tell that you're a moderator when I'm logged in, because I have signatures disabled. You guys really need to work on another way to indicate that.

    At the moment, we don't have our moderator permissions, so the only way to make it clear we're mods is via our forum signatures. When we get mod tools again, that will likely change.
    (Insert fancy image here)
    image
  • katamaster81899
    katamaster81899 Posts: 869 Arc User
    Alright, that's a big issue. Big issue. lol. I think this is the biggest one yet.
    dulopa4e1d9.png
    XB1 Thaumaturge PVE CW Build || NW_Legit_Community Moderator || Axios Guild Leader || Neverwinter Trade Forum Moderator
    Check out my foundry, titled "Akro's Gone Wacko", featuring our ex-CM Akromatik!: NW-DL8J7BY5T

    Erza Moonstalker | Lara Moonstalker | Julie Marvell | Erza Moonhunter | Annie Hellangel | Jenn Moonstalker
  • cococya
    cococya Posts: 230 Arc User
    Wow, how the hell did they not see this, it's a really major security flaw that could smell like law suit. Are this people so incapable ?
    ladybeard-crossdressing-wrestler-death-metal-singer-05.jpg
  • krittycat
    krittycat Posts: 4,187 Community Moderator
    edited June 2015
    By the way, I was able to alert a member of the PWE staff, and they've passed the issue along to the team working on the forums. We should hopefully see this issue fixed soon.
    frtoaster wrote: »
    I don't see how not posting about it would reduce the risk in this case. It's visible to anyone viewing the forums while not logged in, including people who don't even have an account. I'm pretty sure search engines are crawling these pages as we speak and indexing them with the IP addresses included.

    Btw, I can't tell that you're a moderator when I'm logged in, because I have signatures disabled. You guys really need to work on another way to indicate that.

    We should hopefully have some sort of differentiation for mods soon... As for how it would help to not have had this posted, while there would be people who would view the forums without accounts, the people that didn't even think about it wouldn't notice it. By posting it in the forums, you alerted even them to the fact that they could view something they weren't supposed to be able to see if they just logged out.
    krittycat.gif
    BLR Forum Moderator
    Get the Forums Enhancement Extension!
  • krittycat
    krittycat Posts: 4,187 Community Moderator
    Okay, I just ran a quick check myself, but does anyone else see this issue as fixed?
    krittycat.gif
    BLR Forum Moderator
    Get the Forums Enhancement Extension!
  • sylenthunder
    sylenthunder Posts: 256 Community Moderator
    I just checked. Not seeing any IP addresses. Likely fixed.
  • krittycat
    krittycat Posts: 4,187 Community Moderator
    sylenthunder wrote: »
    I just checked. Not seeing any IP addresses. Likely fixed.

    Awesome. I never heard anything after it was passed to the Arc team, but just wanted someone else to verify what I was seeing. :smile:
    krittycat.gif
    BLR Forum Moderator
    Get the Forums Enhancement Extension!
  • frtoaster
    frtoaster Posts: 2,566 Arc User
    Confirming that it appears fixed for me as well.

Categories