Bug found in the powder toy
-
there is a dangerous bug that not evreyone is aware of, if you change the extension of powder.pref to powder.txt it will show not only the code but also the user info like the password and the username, this can be used to recover an account when you don't remember the password or in the worst cases steal a friend's account
-
This is not a bug; just don't share your powder.pref. By the way, every application that lets you authenticate with some service without entering a password (e.g. TPT, once you're logged in, or even your browser, and sadly even Windows, unless you enable drive encryption) stores such information somewhere in a non-encrypted or a trivial to decrypt format, in some file like powder.pref. The recommendation for those is the same: just don't share them.
-
ok, anyways if i will find any other bugs i will report them if needed
-
Also just to clarify one more thing, we don't store passwords in powder.pref. You get a session key which authenticates you for as long as it is valid.
Someone who steals your powder.pref can authenticate you and take any action on your behalf, but won't have your password. powder.pref cannot be used to permanently hijack an account though, since to change the email or password on an account does require the password.
