Security Bug - Windows Metro app

[DeletedUser829]

Bug Description: If someone logs into grepolis using a Windows Modern app from the Microsoft Store, they will always be able to sign into Grepolis regardless if the password has changed. It will not prompt them for it.

Steps to reproduce:
-Log into an account using a windows metro app, save the login information.
-Log into your account using the HTML web app, change your password.
-Start up Grepolis using the Windows RT (Windows 8/8.1/10) app and you'll be able to login without entering a password.

-----
Even though the password has changed, the windows app does not ask you to enter in any new information.

The login token it uses is a special one that seems to grant access without the need for the password check.

I'm testing this now to see if I can copy this to another windows 10 device to see if it will auto-login, and if syncing my data between windows 10 PC's will copy this data.

 

[DeletedUser35069]

I thought it used your global inno log in?

 

[DeletedUser829]

If that was the case, then that is holding onto an invalid token because the user it logged me in as was an account I gave away over a year ago... (Note I did log out of the account, but it did sync to all my other devices).

 

[DeletedUser35863]

how do you have a windows 10 device???? i thought they haven't been released yet.

isn't it supposed to be released in November?

 

[DeletedUser829]

windows insider program.

Anyways, it seems i can, with some work, copy a login from a Windows device and push it to another and log in as that user. Did it locally with my PC and my surface.