Fileshack WTF

  • An update was released for my game so I decided to download it from fileshack. Only problem was that it required you to login to download any file. As I didn't want to fill their user database with another account that would be used only once offered the solution.

     Looking at their cookies I won't have any troubles logging in till Dec 2007 - there's a cookie containing the username and a cookie containing your password - unencrypted! I wouldn't be surprised if it was the same for the paid accounts.

    Why store the login credentials at all client side? A hash would have been enough..
    Another WTF: when you go to download your file you're put in a queue.  The url  ends with paid=0.  set it to  1 and you're thanked for your support to the site but you still have to wait. So it would seems they still store whether you're a paying member server side. Then why not use it to generate the page too instead of a GET var? It also helps you view your queue status.

  • and then there's the sites that think they're soo ajaxy when they put up a second-counter until the moment you're allowed to download. Unfortunately, this is all clientside javascript, so just reading the source a bit will allow you to skip the wait.

Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.