API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 18th, 2016
372
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.11 KB | None | 0 0
raw download clone embed print report
  1. 1) You're not using the HTTPS protocol! What does this mean? Well, anyone can access your account on the website.
  2.  
  3. If you're using the registration provided by the website (not steam or any other 3rd party service), then people can find out the password that you're using, and if you use it for other sites... Well yeah...
  4.  
  5. I think (knowing how oAuth and other protocols work, and this http://i.stack.imgur.com/8KjWN.png), you'll have a token stored client side (which is logical, usually). However, this token is most likely passed to flarum first, which then passes it onto facebook, meaning that again, people can access your account *on this site, not on the 3rd party*, for a limited time.
  6.  
  7. Depending on what permissions DH (well, flarum) requests from your facebook account, it may also be possible to "persuade" flarum to interface with facebook to do actions which you didn't intend.
  8. > _Can be corrected with Let's Encrypt certificates_
  9.  
  10. 2) People can request for a password reset, intercept the email, and read it because DH send it unencrypted.
  11.  
  12. What does this mean for you? Well, anyone can access your account if you use the registration provided by flarum (the forum software)
  13. > _Can be corrected with Let's Encrypt certificates_
  14.  
  15. 3) You're using a beta software not recommended for production. This means there's likely to be security flaws within the software itself, and may or may not mean that your account can be compromised.
  16. > _Can be corrected by changing forum software_
  17.  
  18. 4) Your donation store isn't encrypted. You process contact details of the user, and are not encrypting them. Despite this, you don't process any direct payment information (such as card numbers, CCVs, expiry dates, etc).
  19. > _Can be corrected with Let's Encrypt certificates_
  20.  
  21. 5) You use cookies and also collect user data, but don't provide a privacy policy, nor a cookie policy (on your donation page too)
  22. Because you're not encrypting this data as far as I can tell, you need to tell people this in a privacy policy, so that they know their personal information is potentially at risk.
  23. > _Can be corrected with a Privacy and Cookie policy_
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!