EVE security devblog explains recent forum exploit

When EVE Online's new forum went live on Thursday, April 7th, it wasn't long before someone discovered a gruesome exploit. The cookie used by the forum wasn't encrypted, putting the user's character ID and signature in plain text. The forum software also didn't have the required validation procedures, meaning users could change the user ID in their cookies to any character's ID and they'd be able to post as that character. Moderator tools and private forums for EVE developers, volunteers and the CSM were also allegedly exposed.

In a new devblog, CCP Sreegs has explained the extent to which the exploit compromised security. In addition to being able to post as any user and edit any post, users abusing the exploit were able to inject arbitrary HTML into their forum signatures. Several players have been very vocally outraged by this, as the potential for someone to insert javascript into a forum page could be extremely damaging. Sreegs assured players that javascript inserted into the signature was sanitized and would not execute.

At least one player who reported the exploit was banned for subsequently abusing the exploit in an effort to force CCP to take action. In his devblog, Sreegs re-iterated the correct steps for getting in touch with CCP's security department if an exploit or security hole is discovered. Player response to the devblog has been largely positive, but questions still remain. CCP has yet to comment on why it decided to base the new forum on open source software Yet Another Forum and why it didn't inform players that it was using a pre-made package.