DriveThruRPG.com Security issue.

C. Baize

C. Baize

First Post
So. I surfed over to DriveThruRPG to see what it looked like and everything...
First time there.. I'm looking around a bit, and then something catches my eye...
It says, "Welcome back to DriveThruRPG.com, Nathaniel! May I tell you about the new products that we have added to our menu?
If you have the most recent version of Adobe Reader, you can click here to activate your DRM account."
You may have noted that I said it was my first time there, and then DTRPG tells me "Welcome back" and calls me by name .... err... Not by MY name, though... So, I'm curious... I hit the "My Account" button.... Lo and behold... I'm logged in as this Nathaniel guy. I can see his home address and phone number (nice one, Nathaniel! :) ) along with his e-mail address.
I e-mailed Nathaniel and apprised him of the situation, and then I used the "Contact Us" feature at DTRPG and apprised them of the situation...
I know these aren't instant fixes, however, and felt I should make people aware of the security issue found there.
I might be able to see a mistake like that if there were some sort of cookie on my computer from having visited there, before, OR if we shared an ISP that used rotating IP addresses... We're all the way across the country from each other, using different ISPs....
Anyway... to anyone who uses DTRPG, be aware of the situation.
 

log in or register to remove this ad


That can happen if you bookmarked or followed a link into the site that had the PHP SESSION ID = part of the url. It forces you to use a specific session ID that might be used by someone else. Remove the &PHPSESSID= or whatever part from your bookmark or notify any webmaster to do the same and the issue will not happen.

But that's no guarentee. We had the same issues at RPGNow for a while till we upgraded and changes some internal settings to prevent that.

James
 

rpghost said:
That can happen if you bookmarked or followed a link into the site that had the PHP SESSION ID = part of the url. It forces you to use a specific session ID that might be used by someone else. Remove the &PHPSESSID= or whatever part from your bookmark or notify any webmaster to do the same and the issue will not happen.

But that's no guarentee. We had the same issues at RPGNow for a while till we upgraded and changes some internal settings to prevent that.

James
Click to expand...

Hmm.. that seems to be a problem. Especially if someone unethical just attempts to try out session ids to see if they come across someone.
 
Last edited:

The interesting thing about that, is I typed the address in my address bar, thusly:
www.drivethrurpg.com
I hit enter, and there I was as Nathaniel.

And, yeah, Ralts... Nathaniel SHOULD be thankful it was someone honest. Kinda doubt, it though.
 


Krieg said:
Once again DTRPG continues to impress.

We should start a pool on what their next snafu will be.
Click to expand...
RPGNow just plain out told everyone that they had similar problems in the past. RPGNow is already a 'veteran' player on the digital download field. Even 'big' players such as amazon and e-bay have a bug so now and then. Nothing special, it's just because software is so damn complex.

The fortunate part is that this bug is pretty hard to duplicate. The important thing is to not keep your credit card info on that or any other site.
 

Cergorach said:
RPGNow just plain out told everyone that they had similar problems in the past. RPGNow is already a 'veteran' player on the digital download field. Even 'big' players such as amazon and e-bay have a bug so now and then. Nothing special, it's just because software is so damn complex.

The fortunate part is that this bug is pretty hard to duplicate. The important thing is to not keep your credit card info on that or any other site.
Click to expand...
Putting on my professional programmer hat....

Um, no, RPGNow's problem is a different (easily understood) problem since C Blaze claims he typed the url in and hit enter. That means it isn't a PHP session error, it is something else.

And thus I would say it is unfortunate that the bug is hard to duplicate because that means it will be hard to prove that it is fixed.

... hat off.
 

DTRPG has made huge PR blunders at every opportunity and continues to do so.

1. Trying to muscle RPGNow to sell.
2. The only "professional" .pdf site.
3. Inaccessible website for the first week or so.
4. DRM
5. We aren't "really" affiliated with WW, it's just coincidence that everyone involved also happens to work for them.
6. Customers actual names placed on forum without their consent.
7. VERY questionable SPAM mailing list.
8. Account logon security problems.

I have no idea whether it is malfeance or merely incompetence on DTRPG's part, but they have some serious problems to fix.
 
Last edited:

jmucchiello, dude... When in doubt, C&P. It's Baize, man... as cool as it would be to be "Mr. Blaze" ... I'll leave that to Johnny.
Baize.
:)
 

Similar Threads

MNblockhead
D&D General Cautionary Tale with DnD Beyond Account
Replies
8
Views
1K
Joshua Randall
Joshua Randall
Morrus
Evil Genius Games Attempts To Remove Bad Press [Update--And Then Adds Legal Threats!]
21 22 23 24 25
Replies
240
Views
46K
Joshua Randall
Joshua Randall
GMMichael
Teaching the Matrix to Play Modos RPG
Replies
0
Views
397
GMMichael
GMMichael
innerdude
Any Forged in the Dark tips and pointers for an upcoming campaign?
2
Replies
13
Views
1K
Joshua Randall
Joshua Randall
GMMichael
2018 Stealth Rules (Closed-Book / Light-Rules)
Replies
8
Views
1K
GMMichael
GMMichael
Remove ads

Top