High risk security breach in “Private Messaging” extension
-
Foreign conversations can be read out. For example: the messages function checks periodically if there are new messages. “message_to=221&conversation_id25&last_updated…” Now I can simply manipulate the conversation_id for example: “message_to=221&conversation_id27&last_updated…” The server now answers with the messages from the conversation with id27, although I am not authorized to read these messages. It must be ensured that only participants of the conversation can retrieve messages!
-
Hi @brandshot,
I’m afraid, we are not allowed to provide support or discuss our paid extensions on this forum.
If you have purchased one of our extensions please submit a new support ticket on this page.
If you have a pre-purchase question please go to this page and select “I have my own questions”.Regards.
- The topic ‘High risk security breach in “Private Messaging” extension’ is closed to new replies.
