GaF Posted December 23, 2007 Share Posted December 23, 2007 Not impressed - just clicked on Tournament Lobby in Mansion and IE opened with the following URL..... https://www.mansion.com/Content/Zulu/ShowFeature.aspx?view=tournamentinfo&user=******&pass=******* I've edited the asterisks in...... Although this is secure (https) the password was visible in the url bar - what this means is that the Mansion software (Presume it's a network issue rather than a site issue) is storing my password in memory, unencrypted (or at the very least, bi-directional encryption) - seems incredibly lax to me :unsure Quote Link to comment Share on other sites More sharing options...
McG Posted December 27, 2007 Share Posted December 27, 2007 Re: Passwords in Mansion Not impressed - just clicked on Tournament Lobby in Mansion and IE opened with the following URL..... https://www.mansion.com/Content/Zulu/ShowFeature.aspx?view=tournamentinfo&user=******&pass=******* I've edited the asterisks in...... Although this is secure (https) the password was visible in the url bar - what this means is that the Mansion software (Presume it's a network issue rather than a site issue) is storing my password in memory, unencrypted (or at the very least, bi-directional encryption) - seems incredibly lax to me :unsure PLUS, I had to have letters, numbers and at least 1 symbol in my password "for additional protection":rollin Quote Link to comment Share on other sites More sharing options...
GaF Posted December 27, 2007 Author Share Posted December 27, 2007 Re: Passwords in Mansion I'm surprised there hasn't been more reaction to this - I view it as quite a major issue :unsure Don't know if I'm overreacting :unsure Just to be clear - here's a screen print of what's happening (edited out of course) I have searched my registry for the password as well as the contents of my hard drive, without finding it, so that's some comfort.... I dont have the "remember password" box ticked on login :unsure Quote Link to comment Share on other sites More sharing options...
Valiant23 Posted December 27, 2007 Share Posted December 27, 2007 Re: Passwords in Mansion I've just logged into Mansion and clicked on some buttons but my default browser is Firefox and some pages open with the address bar blank. It is quite worrying but I'm not sure why exactly. :$ Quote Link to comment Share on other sites More sharing options...
GaF Posted December 27, 2007 Author Share Posted December 27, 2007 Re: Passwords in Mansion It's not normal for anything to store passwords in such a way that they can be known - they are usually encrypted with a one way encryption method - one way meaning you can encrypt it, but cannot (in theory) decrypt it.... Even for something non financial like PL, the password database is stored with a one way encrytion algorythm - if someone forgets their pasword, we cannot find it, and we cannot tell them what it is - all we can do is set a new password.... For something that deals in financial information, I'm stunned that the program stores your password in such a way that it can access it.....if it's there it can be exploited...... I got onto live chat on Mansion earlier and they've passed it to their technical team - will post the response here :ok Have tried some other skins on the network, and the others dont seem to have the same issue - only Mansion so far seems to do it - however ultimately I'd view the issue with the whole network - if the mansion software can get ahold of your password, then it has to be available within the software for any of the skins.... Might post it up on 2plus2, they're pretty good at investigating this kind of thing, and have far better technical people than me who can get to the bottom of whether it's really an issue or not :unsure (Will wait for the reply from the Mansion technical team first) Quote Link to comment Share on other sites More sharing options...
AJ Posted December 27, 2007 Share Posted December 27, 2007 Re: Passwords in Mansion I do see your point, I'd not want it displayed on screen for security point of view, someone could shoulder surf me whilst logged in and get my passed. In terms of web security thouhgt, isn't it 128bt SSL or something, secure enough I'd guess ?? Quote Link to comment Share on other sites More sharing options...
GaF Posted December 27, 2007 Author Share Posted December 27, 2007 Re: Passwords in Mansion Within the browser, yes it's secure (https), and I dont think that's so much the issue ..... I'm more concerned that this shows that a decrypted/decryptable version of my password is available from my machine :unsure (and as you say, anyone who can see my screen) Quote Link to comment Share on other sites More sharing options...
avongirl Posted December 27, 2007 Share Posted December 27, 2007 Re: Passwords in Mansion I've tried clicking on various options within Mansion (lobby options, my account, cashier....) and am not getting anything displaying my password or the address showing like GaF's screen. Maybe the problem is in the browser in use? (not that I know about these things. I'm on erm....BT Yahoo I think :$). Quote Link to comment Share on other sites More sharing options...
Valiant23 Posted December 27, 2007 Share Posted December 27, 2007 Re: Passwords in Mansion Within the browser' date=' yes it's secure (https), and I dont think that's so much the issue ..... I'm more concerned that this shows that a decrypted/decryptable version of my password is available from my machine :unsure (and as you say, anyone who can see my screen)[/quote'] How so? You make a request for information through the poker client(?) The poker client accesses the web site and requests the information to be shown through your browser(?) Its strange the way it does it but does the fact that your details are shown in the address bar mean that they are available from your machine without following the above process? :unsure Quote Link to comment Share on other sites More sharing options...
GaF Posted December 27, 2007 Author Share Posted December 27, 2007 Re: Passwords in Mansion Where can it get the password from if it isn't your machine? :unsure Even if it comes from them - they shouldn't have access to it either.... Quote Link to comment Share on other sites More sharing options...
GaF Posted December 27, 2007 Author Share Posted December 27, 2007 Re: Passwords in Mansion I've tried clicking on various options within Mansion (lobby options' date=' my account, cashier....) and am not getting anything displaying my password or the address showing like GaF's screen. Maybe the problem is in the browser in use? (not that I know about these things. I'm on erm....BT Yahoo I think :$).[/quote'] Open a tournament lobby (Highlight a tournament, then click "Go to tournament" button), then click on "Tournament Info" - what do you get? (the url I showed, redirects after a few seconds) Quote Link to comment Share on other sites More sharing options...
avongirl Posted December 27, 2007 Share Posted December 27, 2007 Re: Passwords in Mansion No redirect, goes straight to this. Quote Link to comment Share on other sites More sharing options...
GaF Posted December 27, 2007 Author Share Posted December 27, 2007 Re: Passwords in Mansion That's where I go after the redirect :unsure Is anyone else seeing their password or is it just me? :unsure Quote Link to comment Share on other sites More sharing options...
Sharpe1ne Posted December 28, 2007 Share Posted December 28, 2007 Re: Passwords in Mansion That's where I go after the redirect :unsure Is anyone else seeing their password or is it just me? :unsure Having had to click on cashier and try and catch the url at the top,yes it does show my password. Mind you with not being able to get tourny lobby's and having tons of trouble withdrawing from my account(i don't possess the card that i deposited with anymore and have no bank records to give them,i just can't get any money out of there,even though i put in a token £10 through Neteller i can't withdraw) then i just think there a set of useless gimboids. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.