Site commenters are ‘publicly and permanently listing their zip code’ for anyone to see

UPDATED A flaw in Gamasutra’s comments section may have exposed users’ IP addresses for more than two years.

The vulnerability in the popular gaming industry news and blogging site was spotted by software engineer and independent game developer Daniel Shumway, who said he flagged the issue to the site’s owners back in 2016 and decided to go public with his findings following a “multi-year responsible disclosure period”.

In a blog post published earlier this week, Shumway said a malicious visitor can easily view the IP address of any commenter on the Gamasutra website.

“Gamasutra records the IP address of every user who posts a comment on the site,” he explained. “This address is attached to the response JSON of every comment for every article.

“These IP addresses are stored indefinitely. When I discovered this vulnerability, I was able to reconstruct my entire living history for the entire duration of my account history.”

In layman’s terms, the developer said, most people who comment on a Gamasutra article are “publicly and permanently listing their zip code on the internet for literally anyone to see”.

The Daily Swig independently verified this issue yesterday.

In addition to the IP leaks, Shumway said he identified a CSS injection vulnerability that could allow malicious visitors to track user behavior or record user passwords, along with a “trivial” cross-site scripting (XSS) flaw that could enable an attacker to steal user credentials using a JavaScript exploit.

“While I won’t mention the exact method, Gamasutra’s parsing seems to [be] based on a few half-hearted regular expressions,” he said. “It only took a few hours to find holes in their system, and the majority of that time was spent waiting for my posts to properly save and load.”

He added: “Stealing a user’s credentials means that an attacker gets edit access to that user’s blog posts. This means that a script can ‘infect’ other user accounts, inserting itself into their posts to silently spread itself across the site.”

Lastly, the developer said a lack of database authentication on the Gamasutra site gives logged-out users full access to its site-wide image database.

“I confirmed that I was able to view, upload, delete, and rename images from one of my own blog posts,” he said. “I also confirmed that once Gamasutra’s cache expired, the new replacement images were served as normal.”

Launched in 1997, Gamasutra is a popular site for those interested in video game development and related industry news.

The site is owned by UBM Technology Group, which is perhaps better known as the organizer of the Black Hat security conferences in the US, Europe, and Asia.

When quizzed over the two-year disclosure process for the Gamasutra flaws, Shumway told The Daily Swig: “I reported the XSS/CSS vulnerability and IP address leaks in 2016. The database vulnerability was reported just over two months ago.

“Of those, an attempt was made to fix specifically the XSS vulnerability. I don’t know exactly when that got pushed.”

He added: “I found out after getting in contact with UBM [on Monday] that this actually ended up being a bit of a communication error. The bug was marked as closed afterwards even though the fix only made the attack slightly harder to execute.

“I wasn’t aware that the bug had been completely closed, and upper management wasn’t aware that the fix was insufficient. In so far as I know, there weren’t ever any fixes pushed to address the other vulnerabilities.”

In a statement to The Daily Swig, a UBM spokesperson said: “We’re actively working to investigate and address some issues with the website that this blogger has reported to us, and have thanked them for being in touch. We don’t have anything further to add for now.”

This article has been updated to include comments from UBM.