Sign In Register

How can we help you today?

Start a new topic

How to workaround GS security vulnerability (root certificate verification)?

There was a hacker that manipulated some of our database entries -- very specific entries.

I'm told that GS "doesn't check the authenticity of a connection -- it was noticed that GS doesn't even check the root certificate of the websocket tls connection is registered on the host system, leaving GS to be emulated entirely". 

And, well, that's exactly what happened - the user found the exact DB entry -- his entry -- added himself Kickstarter armor, unbanned himself, directly added session tokens to his account, etc.

This is a pretty critical vulnerability. If the user could do this, this also means he can see and write ALL user information. This means someone can just click the delete button and wipe entire db's. Since there are no longer updates, I suppose the best thing to do is to ask others that may be security experts.

I'll open up a ticket for a shot in the dark, too -- Since it's Amazon, I'm sure they'd at least patch for security vulnerabilities.

1 Comment

To update, GS responded to ticket fast -- Seems like we may get a security update! :crosses fingers:

Login to post a comment