[Bug Report] Comments plugin does not validate password hash when posting a comment
[Bug Report] Comments plugin does not validate password hash when posting a comment
Comments plugin does not properly validate password hash. When addMessage endpoint is called, one can change loginData.username value to any existing username and impersonate any existing person in chat. While no important user data is stolen, this can certainly confuse people in the comment box. It is not reproducible consistently though, I wasn't able to find out what exactly is causing this behavior. If you can't reproduce, you can let me know and I will record a video.
@[email protected] pinging dev.
It is not reproducible consistently though
Please link to an example comment where you have replicated this, even just once (i.e. commenting using a username that you don't own). My guess is that when you refresh the page, you'll see that it didn't actually submit the comment under the username - i.e. you "tricked yourself", but didn't trick other users. But if I'm wrong here, then I'd definitely like to know about it! Either way, thanks for your report & concern.
Unfortunately, this is not the case. Everyone is able to see it. See chat in General room of this throw away generator: https://perchance.org/username-bug-demo