I recently found a serious security issue with Jagex (who owns the worlds most popular MMORP called Runescape).

This security issue is caused when a customer wants to cancel their membership. Jagex asks for you to send them PLAINTEXT credit card details via EMAIL. Yes, you read correctly. Plaintext credit card information, potentially the most personal information via email.



This can become a major issues in many situations. I will list a few. If Runescape/Jagex mail servers and or support desk is hacked a malicious hacker can now read all these emails from people sending in their plaintext information. The other and more likely issue is a customers email is breached via malware or phising (yes there is targeted attacks at Runescape players) and now that hacker has access to the customers credit card details.

How can Jagex fix this?
Jagex could easily fix this by automating the process of cancelling. For example card number 1234 is linked with the username Person when Person clicks on the cancel subscription link it automatically stops requesting payments. This is basically what theyre already doing but making people send plaintext credit card details.The current procedure may breach data protection laws (UK), im not 100% sure with that. Regardless, this is a major vulnerability it jagex's payment processing method.








Disclaimer: Yes, I have emailed jagex several times about this without any human response (only the automated ones). They did not seem interested in patching this so I hope a little public pressure will.