Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
Tags
No Time To Play202 days ago(+1)

You can make whatever you want. We're not the taste police. If you see something that's actually illegal, there's a report button in the footer of every project page. Please use it, and itch.io staff will take a look.

And yes, actually, clicking some links in the browser will open another app on your computer. Once again, that's how desktop operating systems work. This is not a security issue in any way, shape or form. You're making stuff up.

Reply
C/NC-Z0E200 days ago (2 edits)

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look...

I can provide another dozen of extremely indepth reasons why your "mailto" system can be exploited, or used to exploit.

I cannot remember if this is the person that suggested I should educate myself.   Please, Please, educate yourself.

Oh, I see now.  You say I am "making things up".

Reply
No Time To Play200 days ago (2 edits) (+1)

No, but I'll say your reading comprehension is sorely lacking. That article describes a ransomware attack that was nicknamed "MailTo" for indirect reasons that have very little to do with e-mail addresses. So yes, please educate yourself.

Reply
C/NC-Z0E200 days ago

https://www.zdnet.com/article/some-email-clients-are-vulnerable-to-attacks-via-m...

https://security.stackexchange.com/questions/235427/what-are-the-dangers-of-a-ma...

https://adamsilver.io/blog/the-trouble-with-mailto-email-links-and-what-to-do-in...

Back in your court.   Do I have to provide 3 more?  I can.

Reply
C/NC-Z0E200 days ago

Please educate and save you and your customers future issues.

Why do you defend "mailto" to the grave?  Does it give you identifying information?  What is your benefit? 

Your argument that it is "convenient for the customer" is not true.   I am already signed into my email, yet your system forces me to re-sign in.

AND, it is a dubious system whether you believe it or not.

Reply
mid200 days ago (2 edits) (+2)

yet your system forces me to re-sign in.

A mailto link isn’t a system. If you have multiple e-mail clients, it is your system that is simply poorly configured.

Your first link refers to four vulnerabilities in different software that are now all patched.

The exploit in your second link relies on the attacked actually pressing the Send button, revealing their preferred e-mail address. How do you expect Itch to know to whom they are speaking without knowing your address?

The third link isn’t even a vulnerability.

The first link speaks of some serious stuff, but if some implementations having vulnerabilities is enough to throw away an entire protocol, then we would’ve thrown away HTTP because some servers are prone to path traversal. The article is from 2020, anyway.

Lastly, the mailto link is visible to everyone: mailto:support@itch.io. No attach parameter, no nothing.

Reply
No Time To Play200 days ago(+1)

I'm defending a little something called truth. You keep trying to accuse itch.io of I'm not sure what, using sources you clearly didn't read and didn't understand. No need to "believe" anything. Learn to use your own sources.

Reply
No Time To Play200 days ago(+1)

No, need, just read those articles and try to actually understand what they're saying. You are not and can't be in danger simply from clicking such a link, even by mistake. Especially not on a trusted website. Reading comprehension, what a concept.

Reply
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies