search

bgame-hunter / temars-eve-api

Automatically exported from code.google.com/p/temars-eve-api
0 stars 0 forks source link

Duplicate API Security risk #78

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
TEA Version: 1.3.0 r161

SMF Version: 2.0

What steps will reproduce the problem?
1. Have director user create account on forum and register with API
2. Have hostile user create new account on forum and register with same API as 
above
3. All api granted access is granted to ostile user

What is the expected output? What do you see instead?
TEA should check if the UserID or KeyID is in use already before allowing a 
user to authenticate with it.

Please provide any additional information below:
It is a very common spy technique to harvest API keys provided on alliance 
forums and other websites. These keys can be used to gain access to enemy 
forums, teamspeak, jabber etc. This is a major breach in security, and TEA 
should at least prevent the same API key from being used by more than one forum 
account.

Original issue reported on code.google.com by habel...@howlerinteractive.com on 7 Sep 2011 at 8:31

GoogleCodeExporter commented 8 years ago 
fixed but will do more to prevent duplicates in a way of same char on dif api
as i only added checks for the key it self at moment

Original comment by tema...@googlemail.com on 16 Sep 2011 at 5:50