Passwords in Mansion

[GotaFancy?(BPP)]

Not impressed - just clicked on Tournament Lobby in Mansion and IE opened with the following URL.....

https://www.mansion.com/Content/Zulu...er=******&pass=*******

I've edited the asterisks in......

Although this is secure (https) the password was visible in the url bar - what this means is that the Mansion software (Presume it's a network issue rather than a site issue) is storing my password in memory, unencrypted (or at the very least, bi-directional encryption) - seems incredibly lax to me

[McG]

Quote:

Originally Posted by GotaFancy?

Not impressed - just clicked on Tournament Lobby in Mansion and IE opened with the following URL.....

https://www.mansion.com/Content/Zulu...er=******&pass=*******

I've edited the asterisks in......

Although this is secure (https) the password was visible in the url bar - what this means is that the Mansion software (Presume it's a network issue rather than a site issue) is storing my password in memory, unencrypted (or at the very least, bi-directional encryption) - seems incredibly lax to me

PLUS, I had to have letters, numbers and at least 1 symbol in my password "for additional protection"

[GotaFancy?(BPP)]

I'm surprised there hasn't been more reaction to this - I view it as quite a major issue Don't know if I'm overreacting

Just to be clear - here's a screen print of what's happening (edited out of course)



I have searched my registry for the password as well as the contents of my hard drive, without finding it, so that's some comfort....

I dont have the "remember password" box ticked on login

[Valiant23]

I've just logged into Mansion and clicked on some buttons but my default browser is Firefox and some pages open with the address bar blank.


It is quite worrying but I'm not sure why exactly.

[GotaFancy?(BPP)]

It's not normal for anything to store passwords in such a way that they can be known - they are usually encrypted with a one way encryption method - one way meaning you can encrypt it, but cannot (in theory) decrypt it....

Even for something non financial like PL, the password database is stored with a one way encrytion algorythm - if someone forgets their pasword, we cannot find it, and we cannot tell them what it is - all we can do is set a new password....

For something that deals in financial information, I'm stunned that the program stores your password in such a way that it can access it.....if it's there it can be exploited......

I got onto live chat on Mansion earlier and they've passed it to their technical team - will post the response here

Have tried some other skins on the network, and the others dont seem to have the same issue - only Mansion so far seems to do it - however ultimately I'd view the issue with the whole network - if the mansion software can get ahold of your password, then it has to be available within the software for any of the skins....

Might post it up on 2plus2, they're pretty good at investigating this kind of thing, and have far better technical people than me who can get to the bottom of whether it's really an issue or not (Will wait for the reply from the Mansion technical team first)

[AJ]

I do see your point, I'd not want it displayed on screen for security point of view, someone could shoulder surf me whilst logged in and get my passed.

In terms of web security thouhgt, isn't it 128bt SSL or something, secure enough I'd guess ??

[GotaFancy?(BPP)]

Within the browser, yes it's secure (https), and I dont think that's so much the issue ..... I'm more concerned that this shows that a decrypted/decryptable version of my password is available from my machine (and as you say, anyone who can see my screen)

[AvonGirl]

I've tried clicking on various options within Mansion (lobby options, my account, cashier....) and am not getting anything displaying my password or the address showing like GaF's screen. Maybe the problem is in the browser in use? (not that I know about these things. I'm on erm....BT Yahoo I think ).

[Valiant23]

Quote:

Originally Posted by GotaFancy?

Within the browser, yes it's secure (https), and I dont think that's so much the issue ..... I'm more concerned that this shows that a decrypted/decryptable version of my password is available from my machine (and as you say, anyone who can see my screen)

How so?

You make a request for information through the poker client(?)

The poker client accesses the web site and requests the information to be shown through your browser(?)

Its strange the way it does it but does the fact that your details are shown in the address bar mean that they are available from your machine without following the above process?

[GotaFancy?(BPP)]

Where can it get the password from if it isn't your machine? Even if it comes from them - they shouldn't have access to it either....

[GotaFancy?(BPP)]

Quote:

Originally Posted by AvonGirl

I've tried clicking on various options within Mansion (lobby options, my account, cashier....) and am not getting anything displaying my password or the address showing like GaF's screen. Maybe the problem is in the browser in use? (not that I know about these things. I'm on erm....BT Yahoo I think ).

Open a tournament lobby (Highlight a tournament, then click "Go to tournament" button), then click on "Tournament Info" - what do you get? (the url I showed, redirects after a few seconds)

[AvonGirl]

No redirect, goes straight to this.

[GotaFancy?(BPP)]

That's where I go after the redirect

Is anyone else seeing their password or is it just me?

[Sharpe1ne]

Quote:

Originally Posted by GotaFancy?

That's where I go after the redirect

Is anyone else seeing their password or is it just me?

Having had to click on cashier and try and catch the url at the top,yes it does show my password.
Mind you with not being able to get tourny lobby's and having tons of trouble withdrawing from my account(i don't possess the card that i deposited with anymore and have no bank records to give them,i just can't get any money out of there,even though i put in a token £10 through Neteller i can't withdraw) then i just think there a set of useless gimboids.