Stay away from United Cardists.

Status
Not open for further replies.

wZEnigma

Elite Member
Jun 17, 2009
1,511
153
NE Ohio.
ianchandlerwriting.com
I was browsing United Cardists and noticed someone leaked the link to an early release to a special something that was [removed].

One of the mods (I can't believe this scumbag is a mod), badpete69, messaged me asking if I was an employee of Theory11. I said no but asked that he take the link down, to which he refused, handling the matter rudely.

I've let the T11 team know about this, but I wanted to warn everyone who might be a member there. This guy should not be a mod, and I hope you guys do the right thing. Peace out.
 
Last edited by a moderator:

Nurul

Elite Member
Dec 8, 2013
239
186
Birmingham, UK
Whoever did leak the info, it's sad they did, but unfortunately it's not the first time things have been leaked.
To stop this from occurring again, T11 need to set up the secret link in a way where it's only an elite member login required. Or the domain name is something different. I mean someone even accessed it without even signing up with T11.
I hope the T11 guys can chime in on this, especially Lyle, as he did reply to the UC post.
 
  • Like
Reactions: notsoltd
Sep 2, 2007
1,182
119
31
Houston, TX
Whoever did leak the info, it's sad they did, but unfortunately it's not the first time things have been leaked.
To stop this from occurring again, T11 need to set up the secret link in a way where it's only an elite member login required. Or the domain name is something different. I mean someone even accessed it without even signing up with T11.
I hope the T11 guys can chime in on this, especially Lyle, as he did reply to the UC post.

The fact that non-Elite users (or non-users in general) can see this link classifies as an insufficient authorization vulnerability in the web security world. Requiring an authorization cookie specific to Elite members would be one solution for accessing this page - if you don't have it, you don't see the contents. Those of you that ARE Elite members would have the cookie value stored in your browser giving you access (from previously logging into Theory11). Alternatively, it could just require that you log in first - but if it asked you every single time you wanted to visit the page, that wouldn't be the best user experience.

To combat people following the links from other sites, T11 could set up a Referer header check. It would essentially require the request for the page with the special something to come from a T11 page. Each request for a web page is sent with a Referer header that tells the server where that request came from - if it's United Cardists or any other page that isn't Theory11, the request would be rejected and the user would get an error.
 
Status
Not open for further replies.
Searching...
{[{ searchResultsCount }]} Results