When EVE Online
's new forum went live on Thursday, April 7th, it wasn't long before someone discovered a gruesome exploit
. The cookie used by the forum wasn't encrypted, putting the user's character ID and signature in plain text. The forum software also didn't have the required validation procedures, meaning users could change the user ID in their cookies to any character's ID and they'd be able to post as that character. Moderator tools and private forums for EVE
developers, volunteers and the CSM were also allegedly exposed.
In a new devblog, CCP Sreegs has explained
At least one player who reported the exploit was banned for subsequently abusing the exploit in an effort to force CCP
to take action. In his devblog, Sreegs re-iterated the correct steps for getting in touch with CCP's security department if an exploit or security hole is discovered. Player response to the devblog has been largely positive, but questions still remain. CCP has yet to comment on why it decided to base the new forum
on open source software Yet Another Forum
and why it didn't inform players that it was using a pre-made package.