Difmark.com – Reported Security Bug
I recently bought a game from difmark.com and the next day went to sign into my account and in error mistyped my password and received an attempted sign-in warning email. This email is sent to alert customers in case somebody is attempting to sign into your account without permission I noticed the email includes the IP address that the attempted sign-in was from and knew this was not my IP address. After a quick check, I found a small error within their website which is not recording the user’s or visitor’s IP addresses correctly. They also have a page called history log which you can check from your customer account which will detail all login, attempted, and failed login requests to your account, and as I suspected the error is here too.
I reported this to them and offered to give further information on the issue to their technical team if needed, the live chat agent left the chat without even a thank you for the information.
You may ask why is this important to correctly log IP addresses
Firstly as I have detailed if you receive an email advising of a failed login you cannot easily check the location of the IP address of the attempted sign in
Secondly, it may be harder for them as a company to track users, transactions, and even small things such as their website analytics.
The screenshot below show’s IP addresses used to sign in to my account, all these IP addresses are CloudFlare based IP addresses, this is a very quick and easy problem to fix with just a few lines of code.
I have tried to reach out to advise them of the possible implications of this issue but to this point, nobody has responded and followed up contact with me.
I have decided to share this information with the hope they will then decide to take the cyber security of their systems seriously and at least reach out to the people who are trying to help them.