Just FYI, new Delphi community forums recently started leaking email addresses in "Who is online". Beware if you are using email as your login.

-
Just FYI, new Delphi community forums recently started leaking email addresses in "Who is online". Beware if you are using email as your login.
http://community.embarcadero.com/index.php/forum

Comments

  1. Marco CantùJuly 31, 2015 at 7:00 AM

    I'll have someone look into it ASAP

    ReplyDelete
  2. Dalija PrasnikarJuly 31, 2015 at 7:06 AM

    Marco Cantù Thanks

    ReplyDelete
  3. Marco CantùJuly 31, 2015 at 7:29 AM

    The "new" community (it is an upgrade of the open libraries it is based upon), online since few days ago, has a specific "Display Name" field so we'll probably migrate all "visible names" to that new field. might take a few days, though.

    ReplyDelete
  4. Panagiotis DrivilasJuly 31, 2015 at 7:33 AM

    Now you could wish the community forums to be like the discussion forums are most of the time :)

    ReplyDelete
  5. Jeroen Wiert PluimersJuly 31, 2015 at 10:00 AM

    They need to fix the HTTPS grade F first, then make sure both servers support https, then ensure password based login is always done over https (now it's over plain http leaking your credentials): https://www.ssllabs.com/ssltest/analyze.html?d=community.embarcadero.com

    ReplyDelete
  6. Eli MAugust 1, 2015 at 12:14 AM

    https://www.cloudflare.com/ would take care of the HTTPS.

    ReplyDelete
  7. Dalija PrasnikarAugust 7, 2015 at 1:32 AM

    Marco Cantù emails are still leaking...
    Also it looks like Who is online is broken - currently it shows 132648 guests and 695 members online and numbers are continuously increasing. It shows me as online even when I am not logged in (going to that page from browser I never used for logging). Seems like users are added to the list but not cleared.

    ReplyDelete
  8. Marco CantùAugust 7, 2015 at 7:20 AM

    They are redoing that section of the site. there will be a display name anyone can choose (and by default wont' have the email).

    ReplyDelete
  9. Jeroen Wiert PluimersOctober 28, 2015 at 2:54 PM

    It still asks you to login over plain http (http://community.embarcadero.com/login) Server is now graded C, but still vulnerable to the POODLE attack https://www.ssllabs.com/ssltest/analyze.html?d=community.embarcadero.com

    ReplyDelete

Post a Comment