Posted November 13, 2017
TRUMP MUST F U C K I N G HANG
Find me in STEAM OT
TRUMP MUST F U C K I N G HANG Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Dec 2012
From Other
Mr.Grucha
sn1p3r
Mr.Grucha Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat GOG.com Team
Registered: Jun 2011
From Poland
Posted November 13, 2017
Hi,
We are in touch with neophile1980 who found some bugs in the forums.
At the moment we are working on the fix.
We are in touch with neophile1980 who found some bugs in the forums.
At the moment we are working on the fix.
LEMON CURRY?
Møøse operator
LEMON CURRY? Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2013
From Denmark
Themken
Old user
Themken Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2011
From Other
Posted November 23, 2017
The poor coder on the job fell asleep after a week of non-stop working on it...
neophile1980
New User
neophile1980 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2014
From Germany
Posted November 26, 2017
According to email converstation with GOG, the vulnerabilities are still in the process of being fixed. (no ETA given by GOG). However, if the vulnerabilities are to be fixed properly (and not just mitigated), I guess that fundamental changes/improvements have to be made to the forum code's - let's call it - suboptimal design. Based on their responses so far, my impression is there is no dedicated IT security team, so I think it's good if they take their time to fix the bugs (and probably others based on the same design flaws along the way) in a proper way. I am waiting for a status update of theirs. In case GOG doesn't have any plans to publish details about the vulnerabilities, I might do so myself, once they all have been fixed.
LEMON CURRY?
Møøse operator
LEMON CURRY? Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2013
From Denmark
Posted November 28, 2017
neophile1980: According to email converstation with GOG, the vulnerabilities are still in the process of being fixed. (no ETA given by GOG).
Well, who needs an ETA when you got an '[a]t the moment we are working on the fix' update 15 days ago? ;) neophile1980: However, if the vulnerabilities are to be fixed properly (and not just mitigated), I guess that fundamental changes/improvements have to be made to the forum code's - let's call it - suboptimal design. Based on their responses so far, my impression is there is no dedicated IT security team [...]
Why am I not surprised by any of this? neophile1980: [...] so I think it's good if they take their time to fix the bugs (and probably others based on the same design flaws along the way) in a proper way.
I wouldn't build my hopes up – they rarely fix things properly. At least not without breaking something else in the process. neophile1980: I am waiting for a status update of theirs. In case GOG doesn't have any plans to publish details about the vulnerabilities, I might do so myself, once they all have been fixed.
You're not the only one who's waiting... Just curious, but for how long would you consider it acceptable for these issues to remain unfixed? Oh, and thanks a lot for being so considerate as to contact GOG about the vulnerabilities, offer them your help as well as not posting about the specifics in the forum. :)
Post edited November 28, 2017 by Lemon_Curry
neophile1980
New User
neophile1980 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2014
From Germany
Posted November 28, 2017
neophile1980: I am waiting for a status update of theirs. In case GOG doesn't have any plans to publish details about the vulnerabilities, I might do so myself, once they all have been fixed.
Lemon_Curry: You're not the only one who's waiting... Just curious, but for how long would you consider it acceptable for these issues to remain unfixed? Oh, and thanks a lot for being so considerate as to contact GOG about the vulnerabilities, offer them your help as well as not posting about the specifics in the forum. :)
Fundamental (design) vulnerabilities need more careful planning and I think some of them can only be fixed with a decent understanding about how privilege models and basic attacks work. I don't want to sound as if critical security vulnerabilities have been identified when I gave it a quick spin (and it really wasn't more than that) and the problem is that it is difficult to assess risk in this context. I did not ask GOG for permission to assess their site before haviing reported the issues and I just don't want to be put in charge in case something breaks. But given the nature of the vulnerabilities and their underlying design, it is very likely that there's more (with potentially more critical impact). Hence I recommended GOG by mail to engaging pentesters regularly or at least taking part in bug bounty programs.
I'm also hoping the guys at GOG do understand that it's important for them to having to improve their security and their ways in handling security reports on a professional level in general. Security by obscurity just doesn't work and I think the least thing you could do as a company is being honestly grateful to researchers dedicating their spare time to reporting vulnerabilities for free. Of course, closing one's eyes and hoping for the best is another option.
Post edited November 28, 2017 by neophile1980
Pawel1995
Polish Hussar
Pawel1995 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jun 2013
From Poland
drmike
Why yes, I am a Major General
drmike Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jan 2012
From United States
Posted November 28, 2017
Hate to say it but it really did take 4 months to get that webcomic graphic novel.
I read a couple of the Pixie Trix webcomics (I'm not going to link to them as they may be considered NSFW by some.) and it usually takes them 3-4 weeks to clear customs from Canada to the US.
They even say so on their website:
http://pixietrixcomixstore.bigcartel.com/faq
I read a couple of the Pixie Trix webcomics (I'm not going to link to them as they may be considered NSFW by some.) and it usually takes them 3-4 weeks to clear customs from Canada to the US.
They even say so on their website:
http://pixietrixcomixstore.bigcartel.com/faq
drmike
Why yes, I am a Major General
drmike Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Jan 2012
From United States
Posted December 26, 2017
Lovely. I just discovered an issue as well.
And Mr.Grucha has privacy in place.
And contacting Blues directly are a dead end.
Going the support ticket route and hope someone pays attention.
We really need a better method to report security problems here.
And Mr.Grucha has privacy in place.
And contacting Blues directly are a dead end.
Going the support ticket route and hope someone pays attention.
We really need a better method to report security problems here.
neophile1980
New User
neophile1980 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... Unblock chat Registered: Nov 2014
From Germany
Posted July 21, 2018
deleted
Post edited July 21, 2018 by neophile1980