Someone should probably mention to you guys that the mail servlet used to send out mass emails like "hey, players, there's a human endurance event" or "please fill out a survey" contains a link at the top labelled "View this message in a browser" which will open links.mail.dust514.com/servlet/MailView followed by a series of variables which tell the system who you are and which message you want to look at.

Unfortunately, if you make the appropriate changes to the part of the URL which tells the servlet who you are, you can view a message that was sent to someone else. You can also view the email address associated with their PSN. Presumably you could farm a list of character names and associated email addresses.

CCP were advised of this mid-May. It's on a third-party provider to actually fix the thing, but if CCP aren't going to disable the system, it seems appropriate that everyone be warned of the possibility that their email address has been disclosed. As far as I know, there is no evidence that this has occurred but it's polite to let customers know that the possibility existed.

I kind of expected that CCP would do this but, personally, have received no such notification, so here it is. Hopefully CCP comment in here to say that the reason no announcement was made is that they have fully explored the possibility of this being exploited and determined that nobody is at risk but the fact that the system remains vulnerable concerns me enough to advise players myself.

Not saying it's not good or anything, but wouldn't you think that actually bringing this public would make it happen faster than to keep pushing CCP to change their things... just a thought.

But then, I'm far more concerned over other things that needs sorted.

Good work!

edit/and for obvious reasons I'm now going to go do exactly what you warn about just because I wasn't aware of it

/c

Unfortunately, most of the time it takes public scrutiny to get these things pushed through. Mith followed the norm in the industry by giving them plenty of notice prior to publishing his findings.

Unfortunately, most of the time it takes public scrutiny to get these things pushed through. Mith followed the norm in the industry by giving them plenty of notice prior to publishing his findings.

Basically this is my position. I put a great deal of consideration into creating the thread, fully aware that disclosure would give a small window of opportunity to exploiters. Lack of disclosure gives a greater window.

I honestly expected a temporary solution to immediately close the hole. More than a month later, no such patch/service suspension is in place and without public attention the possibility exists that further time could be used by anyone else aware of the issue to exploit it.

IMO, ideally this thread will result in the servlet being taken offline in part or in whole until it is secure.

Oh, no! Not my email address!

That information is supposed to be top-secret level 5 classified! Now my secret identity is blown! My loved ones are in danger!

Seroiusly, though, what's the worst-case scenario here, some extra spam emails?

Oh, no! Not my email address!

That information is supposed to be top-secret level 5 classified! Now my secret identity is blown! My loved ones are in danger!

Seroiusly, though, what's the worst-case scenario here, some extra spam emails?

Derp. I'm glad you don't suffer at all from having your email address known. Some would prefer their FirstName.LastName@gmail not be attached to their character. I don't mind giving them that right.

I'm out of this thread now. Those who are pleased to know, you're welcome. Those who inevitably react with"OMG MITHILEAKS", I'm not going to engage with because it would look too much like returning to the forums.

Actually, worst-case scenario is typing about it in this thread..most of my E-mail accounts are ghost towns, that i use exclusively for spawn E-mails. Is where junk and spawn rubbish go to die....a graveyard for internet BS.

Maybe if you could explain how this grievous oversight and negligence on CCP's part might potentially cause me more than a slight inconvenience, I might share your concern over this "threat" to my personal security.

I'm not going to enumerate the possible attacks based on having the personal details and PSN login of another player because I don't want to give anyone any ideas. Sorry if that doesn't convince you, but I'm mainly looking to advise people who feel it significant.

I still don't understand (honestly, sorry if I'm being dense). I thought you said a person could get my email address, so where are they getting "personal details" and my login password from?

Without those, what's the worst they could do, send me emails?

How is my email address alone enough information to be in any way useful?

I still don't understand (honestly, sorry if I'm being dense). I thought you said a person could get my email address, so where are they getting "personal details" and my login password from?

Without those, what's the worst they could do, send me emails?

How is my email address alone enough information to be in any way useful?

Because one of those 100 internet sites / services you've signed up for with your email as your username has $hit security and allows you to reset your password w/o a second level of authentication. Then in that 1 site you've also input your date of birth or home address which is the authentication factor for 3 more sites which then .... etc etc etc. 15 steps later they're in a site/game that has your credit card saved on file and is susceptible to buying in-game currency which can be RMT'd or whatever.

Security breaches occur across a multitude of interconnections, often run by people other than the original source. You might split your emails but having your primary gaming email in the wild is rarely awesome.

To day I learned how little people know about internet security and how damage can be done with just your email :-(

I've snipped the explanation of how to do this, but I've also forwarded this on to our security team. Obviously giving people a way to farm the e-mail addresses of PSN accounts is not a good thing.

Meh, a little common sense and due caution goes a long way.

I generally don't volunteer any personal info when registering on forums and such, I rarely use my credit card online (and when I do, it's with sites that I am reasonably confident are as secure as possible), I monitor my credit card balance frequently and regularly, I use PSN Cards for PSN purchases, and I've got multiple "junk" emails, all with different passwords.

To do me any real harm, a person would need much more than just this one email address (even factoring in any other information about me that they could possibly extrapolate from it). I'm not saying it isn't possible but, to target me specifically, a person would have to be pretty determined, and spend quite a bit of time and effort to expand that one email address into something that would actually hurt me.

If they're THAT determined, then they've got a serious vendetta against me for some reason, and will probably find some other, easier, more effective and direct way to hurt me, even if they didn't have my email address.

The only other way this could affect me is if I'm just unfortunate enough to be either randomly selected, or one of many victims in some sort of mass-fraud, and the common sense and due caution that I mentioned above should protect me.

Besides, I could also get hit by a bus on my way to work, that doesn't mean I'll never go outside again.

Face it, stuff happens and, personally, I prefer not to spend my life worrying about every little thing that might possibly happen under just the right set of circumstances. You can't protect yourself from everything.

Obviously I do whatever I reasonably can to protect myself, but I'm not going to lose any sleep because someone might have access to one of my email addresses.

Living in fear is not living.

/rant

lol, you make it sound like they can just type my email address into the magic internet box and the magic computer bots do their computer magic and PRESTO, they have full access to my entire life!

Is it possible that someone could conceivably use information from the internet to steal my identity and/or access my money?

I suppose so, which is why I do take certain reasonable precautions when conducting business online.

On the other hand, It's also possible that I could be randomly shot by a total stranger while walking down the street.

But, is it likely?

Probably not.

When we were made aware, we rewarded the reporter as per our PLEX for Snitches program.

As a part of that, we no longer include the email which it's sent to as a part of the mail. Also, technical changes were made on the backend to prevent abuse of this at a large scale. We're still actively working with them to fix this issue fully, but this is not something that gets done over night.