New EVE Online forums get off to a bumpy start

As part of EVE Online's Incursion expansion, players were due to get a new set of forums with a powerful new search feature and other handy tools. A beta version of the forum was released for testing by players at the end of February to help CCP collect feedback on its design. On Thursday, April 7th, the new forum was officially launched and the old forum was set to a read-only archive. It wasn't long, however, before problems began to crop up with the new forum. With so many people now using the new forum, it was only a matter of time before someone found a security hole in it.

Players discovered a cookie-based exploit that allowed them to authenticate as any EVE player without knowing the user's password, including forum moderators and CCP developers. Although user login data wasn't revealed, players abusing the exploit were able to edit other users' posts, access moderator tools and post as developers. A similar exploit was found that allowed players to post arbitrary Javascript into their forum signatures, which could have led to serious security compromises.

Web developers at CCP disabled the forum for several hours to develop and deploy a fix, but were ultimately unable to resolve the problem. For now, the new forum has been disabled and the old one has been reactivated in its stead. A devblog on the issue is due to be posted tomorrow.