Someone should probably mention to you guys that the mail servlet used to send out mass emails like "hey, players, there's a human endurance event" or "please fill out a survey" contains a link at the top labelled "View this message in a browser" which will open links.mail.dust514.com/servlet/MailView followed by a series of variables which tell the system who you are and which message you want to look at.

Unfortunately, if you make the appropriate changes to the part of the URL which tells the servlet who you are, you can view a message that was sent to someone else. You can also view the email address associated with their PSN. Presumably you could farm a list of character names and associated email addresses.

CCP were advised of this mid-May. It's on a third-party provider to actually fix the thing, but if CCP aren't going to disable the system, it seems appropriate that everyone be warned of the possibility that their email address has been disclosed. As far as I know, there is no evidence that this has occurred but it's polite to let customers know that the possibility existed.

I kind of expected that CCP would do this but, personally, have received no such notification, so here it is. Hopefully CCP comment in here to say that the reason no announcement was made is that they have fully explored the possibility of this being exploited and determined that nobody is at risk but the fact that the system remains vulnerable concerns me enough to advise players myself.

Not saying it's not good or anything, but wouldn't you think that actually bringing this public would make it happen faster than to keep pushing CCP to change their things... just a thought.

But then, I'm far more concerned over other things that needs sorted.

Good work!

edit/and for obvious reasons I'm now going to go do exactly what you warn about just because I wasn't aware of it

/c

Unfortunately, most of the time it takes public scrutiny to get these things pushed through. Mith followed the norm in the industry by giving them plenty of notice prior to publishing his findings.

Unfortunately, most of the time it takes public scrutiny to get these things pushed through. Mith followed the norm in the industry by giving them plenty of notice prior to publishing his findings.

Basically this is my position. I put a great deal of consideration into creating the thread, fully aware that disclosure would give a small window of opportunity to exploiters. Lack of disclosure gives a greater window.

I honestly expected a temporary solution to immediately close the hole. More than a month later, no such patch/service suspension is in place and without public attention the possibility exists that further time could be used by anyone else aware of the issue to exploit it.

IMO, ideally this thread will result in the servlet being taken offline in part or in whole until it is secure.

Oh, no! Not my email address!

That information is supposed to be top-secret level 5 classified! Now my secret identity is blown! My loved ones are in danger!

Seroiusly, though, what's the worst-case scenario here, some extra spam emails?

Oh, no! Not my email address!

That information is supposed to be top-secret level 5 classified! Now my secret identity is blown! My loved ones are in danger!

Seroiusly, though, what's the worst-case scenario here, some extra spam emails?

Derp. I'm glad you don't suffer at all from having your email address known. Some would prefer their FirstName.LastName@gmail not be attached to their character. I don't mind giving them that right.

I'm out of this thread now. Those who are pleased to know, you're welcome. Those who inevitably react with"OMG MITHILEAKS", I'm not going to engage with because it would look too much like returning to the forums.

Actually, worst-case scenario is typing about it in this thread..most of my E-mail accounts are ghost towns, that i use exclusively for spawn E-mails. Is where junk and spawn rubbish go to die....a graveyard for internet BS.

Maybe if you could explain how this grievous oversight and negligence on CCP's part might potentially cause me more than a slight inconvenience, I might share your concern over this "threat" to my personal security.

I'm not going to enumerate the possible attacks based on having the personal details and PSN login of another player because I don't want to give anyone any ideas. Sorry if that doesn't convince you, but I'm mainly looking to advise people who feel it significant.

I still don't understand (honestly, sorry if I'm being dense). I thought you said a person could get my email address, so where are they getting "personal details" and my login password from?

Without those, what's the worst they could do, send me emails?

How is my email address alone enough information to be in any way useful?

I still don't understand (honestly, sorry if I'm being dense). I thought you said a person could get my email address, so where are they getting "personal details" and my login password from?

Without those, what's the worst they could do, send me emails?

How is my email address alone enough information to be in any way useful?

Because one of those 100 internet sites / services you've signed up for with your email as your username has $hit security and allows you to reset your password w/o a second level of authentication. Then in that 1 site you've also input your date of birth or home address which is the authentication factor for 3 more sites which then .... etc etc etc. 15 steps later they're in a site/game that has your credit card saved on file and is susceptible to buying in-game currency which can be RMT'd or whatever.

Security breaches occur across a multitude of interconnections, often run by people other than the original source. You might split your emails but having your primary gaming email in the wild is rarely awesome.