Quote:
Originally Posted by Josem
I genuinely cannot believe that their "security" is so awful that anyone with the URL can gain access to the account. The idea that an adult human professional would program this in this manner is completely bananas to me - it obviously implies that they have no encryption of your login if you can simply copy it in plain text like this.
I believe it doesn't necessarily imply that the user/pass is not encrypted. If you wanted to program horribly, when you first login through the client (which presumably is encrypted), the client could create a unique sessionID or something and send that sessionID to the server. Then when you click to open the sports betting/casino area, it would verify that the sessionID your client passes matches an existing sessionID from a logged in user. Now obviously doing only this and passing the sessionID in the URL is ridiculously stupid. At a very minimum, you'd want to also make sure the IP address from the logged in user matches the IP address from the person accessing the sports betting page. This still wouldn't be enough (but at least better), but I'm mainly trying to show that the user/password could still be encrypted. You might be aware of this, but I was hoping to provide better explanation of what might be happening.
BTW, nobody should blame mitch Jones, as it's completely unreasonable to expect that a url is enough to gain access to your account.
Last edited by Ten5x; 08-12-2019 at 12:22 PM.