It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Rozenman: Сan you be safe if you use Galaxy only?
Probably not. The Galaxy client seems to use an embedded webbrowser to display most of its content, so the same things apply here.
avatar
Avogadro6: Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!
No, it is not fine. This is a serious issue and it should be fixed as soon as possible and people should be aware of it to at least be able to roughly understand what could happen.
Post edited June 05, 2015 by jpilot
avatar
Rozenman: Сan you be safe if you use Galaxy only?
avatar
jpilot: Probably not. The Galaxy client seems to use an embedded webbrowser to display most of its content, so the same things apply here.
avatar
Avogadro6: Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!
avatar
jpilot: No, it is not fine. This is a serious issue and it should be fixed as soon as possible and people should be aware of it to at least be able to roughly understand what could happen.
https://youtu.be/vtUpWihJJJ4?t=318
Post edited June 05, 2015 by Rozenman
avatar
Avogadro6: Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!
They are already all dead, in there.
avatar
misteryo: Can anyone confirm this? I am not so sure this is true.
avatar
jpilot: Just to explain a little bit: The thing is, once you are able to insert arbitrary JavaScript code into a website (which obviously is the case here), you can execute that code with the permissions the user's webbrowser grants the scripts on that page (the browser simply cannot distinguish that malicious code from normal code used by the website), which means, the script has access to all data available to to it immediately through the global JavaScript context, as well as through any AJAX script or any website URL on that same host. So the script could possibly (and this is very likely as there does not seem to be a validation of that change through a confirmation email) even change your own password without you knowing it.
Thanks for the explanation!
Nobody gets the reference. :( But yeah, this isn't the first time users find an exploitable vulnerability the staff was not aware of. Last time it took several hours to fix, but then again it was the middle of the night, so hopefully today they'll be faster. Until then, it's probably better if this thread gets deleted and the whishlist disabled.
avatar
Avogadro6: Nobody gets the reference. :( But yeah, this isn't the first time users find an exploitable vulnerability the staff was not aware of. Last time it took several hours to fix, but then again it was the middle of the night, so hopefully today they'll be faster. Until then, it's probably better if this thread gets deleted and the whishlist disabled.
No i would better spread the panic across the forum xD
This is just embarrassing.
avatar
tfishell: http://www.gog.com/wishlist/games/cities_skylines

"a","alert(1)"] 23 hrs. ago manifest_pw
"></img src=x onerror=alert(1)/>
OP, please edit your post to remove that link and to warn others about not clicking it so that we don't get anymore that accidentally click it: http://www.gog.com/forum/general/i_think_my_account_got_hacked/post33

Thank you.
avatar
haydenaurion: OP, please edit your post to remove that link and to warn others about not clicking it so that we don't get anymore that accidentally click it...
I agree though you might want to remove the link as well. ;)
I can confirm that there is some Javascript injection going on there from the forum itself. You can actually use the Web debugging tool "Fiddler" to see the request/response and then use your developer tools (in my case, F12 in Chrome) to trace through it.

Very clever. :)
BTW, there is a request for userData.json, which is somewhat revealing.
Post edited June 06, 2015 by JDelekto
avatar
haydenaurion: ...
Ah sorry, forgot about this thread. :P Done.
avatar
haydenaurion: ...
avatar
tfishell: Ah sorry, forgot about this thread. :P Done.
OK, how many of this people who see the script have "TamperMonkey" installed?
avatar
haydenaurion: ...
avatar
tfishell: Ah sorry, forgot about this thread. :P Done.
Cool, much thanks. :)
avatar
tfishell: http://www.gog.com/wishlist/games/cities_skylines

"a","alert(1)"] 23 hrs. ago manifest_pw
"></img src=x onerror=alert(1)/>
avatar
haydenaurion: OP, please edit your post to remove that link and to warn others about not clicking it so that we don't get anymore that accidentally click it: http://www.gog.com/forum/general/i_think_my_account_got_hacked/post33

Thank you.
It doesn't look to do anything harmful though really based on the code, other than through up a popup error with the number 1... still doesn't mean you shouldn't be careful though. Has anyone reported this yet?

EDIT:

But this is pretty interesting and could signify something more is going on...

avatar
JDelekto: I can confirm that there is some Javascript injection going on there from the forum itself. You can actually use the Web debugging tool "Fiddler" to see the request/response and then use your developer tools (in my case, F12 in Chrome) to trace through it.

Very clever. :)
BTW, there is a request for userData.json, which is somewhat revealing.
Post edited June 06, 2015 by BKGaming
I broke the site, I caved & bought the game this morning when I crawled in, so the site thinks nobody wants it any more ;)

*apologises*