TEA Version: 1.3.0 r161
SMF Version: 2.0
What steps will reproduce the problem?
1. Have director user create account on forum and register with API
2. Have hostile user create new account on forum and register with same API as
above
3. All api granted access is granted to ostile user
What is the expected output? What do you see instead?
TEA should check if the UserID or KeyID is in use already before allowing a
user to authenticate with it.
Please provide any additional information below:
It is a very common spy technique to harvest API keys provided on alliance
forums and other websites. These keys can be used to gain access to enemy
forums, teamspeak, jabber etc. This is a major breach in security, and TEA
should at least prevent the same API key from being used by more than one forum
account.
Original issue reported on code.google.com by habel...@howlerinteractive.com on 7 Sep 2011 at 8:31
Original issue reported on code.google.com by
habel...@howlerinteractive.com
on 7 Sep 2011 at 8:31