[Confirmed-Exploit] Email protection isn't secure anymore. [iSro]

[monson]

After the thread:


I have contacted papler for him to prove the issue...
And it confirmed, e-mail protection isn't secure anymore.


I created a new Silkroad Account:
User: testexploit549
PW: 12345678


I visited the page:

Which doesn't work because newly created account are all Email protected from my knowledge.


It a new account created least then 7 days ago.
With simply the account name and password, he managed to change the password.


I tried to change the password and it requested an email confirmation.
Then I sent him a private message with the account name and password.


He changed both the email address and the password on the account.


Seem like Joymax updated their website and there a new link which can be exploited
to change someone email address even if the account is email protected.


If you do share your account, just watch out. It not safe.
Sadly, I don't feel like searching where the exploit came from.
If you know how to reproduce the exploit, feel free to contact joymax for them to fix it.
Or let us know and we will forward them the information.


Posted by: Kyle

[PortalDark]

well, that's something good and bad
good for hackers, not really of use for me or any others on the pserver scene
but thanks for the advice

[R0bbY LoLz]

this exploit dont work on all acounts ...


and is easy to find that link ..
and you will see this :

"You have already verified email address"

[bubbelshst]

So, how you can find that "link"? lol
Tried it myself on my own, and a test account but it keeps sayi need to send an email.

[monson]

Well guys i didn't tried it, but just saw it and posted here as an advice => Don't give anyone your passwords guys, never...