Account Info in Plain Text

[Angrymoleratsbaggle]

I posted this in the AtariVCS subreddit, thought some here would find it interesting.

 

Well digging around trying to add some open source games to the Dashboard I found that the account info is stored in plain text in a json file.

 

The file is located at /home/user/.config/unity3d/Atari/Dashboard/Production/GameDoc/LocalDB/Session.json

I found it using a Fedora live disk, on Fedora its mounted in /run/media/liveuser/storage instead of /home

 

It includes email, pin, password, nick name, and date of birth.

It appears the password is something generated and used for creating an authorization token for the store. The token is also listed in the file.

 

The Session.json file appears to store the info for anyone with an account on the system.

[justclaws]

I suggest you prevent the console from being stolen, in that case. ?
Thank goodness for SSL, in regard to communication with the server. I believe that information is per-console, though?
I don't know yet if it's possible to login to another console with account details from another machine. I think accounts are local at this time.
I am looking forward to looking more deeply into the differences between AtariOS versions as they come along, if it's still possible.

[CPUWIZ]

Is this "system" wipeable?  If not, FAIL².

[Angrymoleratsbaggle]

1 minute ago, CPUWIZ said:

Is this "system" wipeable?  If not, FAIL².

You can install other OSes on it in place of the Atari OS.

 

I had it dual booting Fedora and Windows 10 for a couple days.

I put the AtariOS back on because someone asked if I could see if it'd boot after restoring the OS.

[orange808]

Plain text PII/credentials on the VCS are not something people want to see from a company that is involved in cryptocurrency.  ?

 

Edited January 3, 2021 by orange808

[CPUWIZ]

13 minutes ago, orange808 said:

Plain text PII/credentials on the VCS are not something people want to see from a company that is involved in cryptocurrency.  ?

 

 

Come on now, what could possibly go wrong?

 

[Cebus Capucinis]

LMFAO, better hope your Netflix box isn't wide open to the interwebs and that you aren't re-using passwords ? 

 

Does it store credit card data anywhere and can I get your IP? "Asking for a friend!"

[Angrymoleratsbaggle]

20 minutes ago, Cebus Capucinis said:

LMFAO, better hope your Netflix box isn't wide open to the interwebs and that you aren't re-using passwords ? 

 

Does it store credit card data anywhere and can I get your IP? "Asking for a friend!"

 

The Netflix "app" for it is just a bookmark for Chrome that launches the address directly in Chrome, so should be alright.

 

I don't know about credit card info, the thing is so weakly implemented I don't trust it to enter one.