TLDR: Don’t click, or at least don’t meaningfully interact with, Tumblr and DeviantArt connections on user profiles on SRC, as they make you vulnerable to phishing attacks if you try to log in to your account from there. If you don’t believe me, check the Tumblr and DeviantArt connections on my profile, which are implied to go to their respective sites, but clearly don’t.
A few weeks ago, I discovered a bug that could lead to phishing attacks on Tumblr and DeviantArt through SRC, and I reported it to the Support Hub and (the supposedly inactive) security@speedrun.com email. The bug report was marked internally as resolved, yet it still exists as a problem, even after the recent bug fix update, implying that Elo doesn’t see a reason to issue a fix for it. Therefore, I’m just gonna talk about it now so that SRC’s users are aware of it, and hopefully encourage Elo to fix the bug in the process.
Without getting into too much detail, you can put any URL you want in the connection field for the two platforms, and if you put a ? after the URL, any user who clicks the link will be directed to that user specified site, while SRC makes it look like it’s guaranteed to be the website that the icon represents. If a malicious user were to use a lookalike domain (like tumbir.(com) or devianlart.(com) for example), recreate the look of the website, and then ask for credentials, they would manage to convincingly fool users into giving their credentials, using the implied safety given by SRC and Elo. For the time being, until a fix is made, I wouldn’t recommend interacting with Tumblr or DeviantArt connections on profiles, or at the very least not inputting your credentials unless you’re sure that it’s the official site that it’s supposed to be.
Note to Elo staff: Please consider having more correspondence between reporter and staff, like whether or not the bug is being fixed or what reasons there are for the bug not being fixed, especially ones that put user safety at risk :) also bring back the security email thank you
19 days later, this still seems to be an issue.
It may or may not get fixed, but don't count on it soon.
Currently we're in a situation where it's radio silence for a month or two > update > complaints taken in for a day or two > radio silence for a month. Repeat.
A lot of the complaints about the past update still haven't been addressed at all a month later. There's a thread on it with pages and pages of critique, so they can't say they aren't receiving any.
Someone should make a "How to steal login credentials using speedrun.com! [EASY]" video.
hey sex why are you warning us about tumblr they literally banned Sex off the platform What the fuck!!!!
warn this ratio hoon goonsical
