Speedrun.com's security is heavily outdated
Laztec
3 years ago
Forums
/
The Site
United Kingdom
Laztec3 years ago

It has been standard practice for the past decade to lock various actions behind a layer of user authentication. The two most important actions being:

  • Changing the account password
  • Changing the account recovery email

However, both of these actions can be performed entirely within the site itself with no layer of authentication, meaning if somebody were to gain access to your account, they could immediately change both your password and your recovery email address, giving you zero ability to regain ownership of it.

More so, your recovery email address is displayed on your account in its entirety, as oppose to the standard practice of censoring half of it, meaning they could now also attempt to login to your email account using the same password.

The optimal solution is to follow the industry standard of sending a link in an email in order to perform the above-mentioned actions, thus ensuring if your account were to be compromised, you could very easily regain ownership.

RaggedDan, Lemin and 9 others like this
United Kingdom
Laztec3 years ago

Just to briefly add, I understand that this is a site with little sensitive data stored on it, such as banking information. However, when the login system comprises of your public username as oppose to private email address, targeted brute-force attacks become exponentially more prevalent, hence I believe this to be a very necessary feature.

Edited by the author 3 years ago
ckellyspeedruns likes this
United States
Symystery
He/Him
3 years ago

My first immediate thought was, "Who wants to hack my src account" but we've seen it before, which is why MFA became a feature (If I am remembering correctly). Even if the site doesn't hold sensitive data I still think it should be more secure. MFA is nice but I would also like if there were other options. Yes, MFA works for everyone because everyone who signs up to src needs an email and I think having it be mandatory for mods is good but other optional options for everyone would be benefitable.

Netherlands
Daravae
He/Him
3 years ago

I'll forward this to Elo, but please, send future security issues to Elo directly (preferably in private on security@speedrun.com) instead of posting these publicly on the forum.

Edited by the author 3 years ago
MrMonsh, Pear and 4 others like this
Scotland
ckellyspeedruns3 years ago

Probably a good idea to delete the thread then, no?

happycamper_, Quivico, and Walgrey like this