Thoughts Media.com

 


Windows Phone Thoughts

Loading feed...

Digital Home Thoughts

Loading feed...

Apple Thoughts

Loading feed...




Go Back   Thoughts Media Forums > Thoughts Media Status Updates

Reply
 
Thread Tools Display Modes
  #1  
Old 07-31-2008, 08:51 PM
Jason Dunn
Executive Editor
Jason Dunn's Avatar
Join Date: Aug 2006
Posts: 29,160
Default vBulletin Vulnerability: Passwords Shuffled for Some Users

<p>If you're trying to log into our forums and having trouble, here's why: there are some individuals going around and running scripts against vBulletin installs, specifically looking to hijack user accounts where the username and password are the same. These people then use these hijacked accounts to send our spam private messages and email messages (I've turned off the email function on our board). I was shocked to learn that we have 559 users who have done exactly that: chosen their password to match their user-name. Not only is this bad security, it leaves the door open for hacker-types to get into our board, pretending to be real users, and cause problems. To prevent this, what we've done is randomize the passwords for the 559 users who were impacted by this.</p><p>If you're one of these users, all you need to do is use the <a href="http://forums.thoughtsmedia.com/login.php?do=lostpw" target="_blank">Lost Password Recovery Form</a> to have the password sent to you - which you'll then want to reset the password to something else...something other than your user name of course. If you have any trouble with this process, <a href="http://forums.thoughtsmedia.com/sendmessage.php" target="_blank">please contact me</a> and I'll manually reset your password. I apologize for any hassle this may cause, but this step was necessary to protect the security of all our users.</p>
__________________
Want to contact me personally? Use this. Want to read my personal blog? Check it out. Want to follow me on Twitter? Here you go.
 
Reply With Quote
  #2  
Old 08-01-2008, 01:14 AM
Rocco Augusto
Editor Emeritus
Rocco Augusto's Avatar
Join Date: Aug 2006
Posts: 2,432

Are we going to prevent users from using their username as their password in the future?
__________________
Follow me on Twitter - @therocco
 
Reply With Quote
  #3  
Old 08-01-2008, 04:06 AM
Jason Dunn
Executive Editor
Jason Dunn's Avatar
Join Date: Aug 2006
Posts: 29,160

Quote:
Originally Posted by Rocco Augusto View Post
Are we going to prevent users from using their username as their password in the future?
At the moment vBulletin lacks any such feature...which completely blows my mind. I'm hoping they'll release a patch in the near future to address this problem.
__________________
Want to contact me personally? Use this. Want to read my personal blog? Check it out. Want to follow me on Twitter? Here you go.
 
Reply With Quote
  #4  
Old 08-01-2008, 07:43 PM
Rocco Augusto
Editor Emeritus
Rocco Augusto's Avatar
Join Date: Aug 2006
Posts: 2,432

Quote:
Originally Posted by Jason Dunn View Post
At the moment vBulletin lacks any such feature...which completely blows my mind. I'm hoping they'll release a patch in the near future to address this problem.
I hope so. Because if there is one thing I learned from my years of using the Internet, at least one of those 500+ people will try to change their password back to their username
__________________
Follow me on Twitter - @therocco
 
Reply With Quote
  #5  
Old 12-04-2008, 10:42 AM
Yair
Neophyte
Join Date: Dec 2008
Posts: 3

what's the point in hijacking an account fr this purpose? is it that hard to generate an account? all that hassle because of the CAPTCHA?
 
Reply With Quote
  #6  
Old 12-04-2008, 11:35 PM
Pony99CA
Swami
Pony99CA's Avatar
Join Date: May 2004
Posts: 4,396
Default The Point

Quote:
Originally Posted by Yair View Post
what's the point in hijacking an account fr this purpose? is it that hard to generate an account? all that hassle because of the CAPTCHA?
Because your spam will appear to come from a legitimate user. If you're really lucky, it will be one with an extensive posting history. Admins probably won't be so quick to ban accounts for those people like they would with new users; instead, they'll do what Jason (and I, when this happened at pocketnow) did and change the passwords (I also E-mailed the few users I noticed to let them know what happened).

For example, one user at pocketnow who seemed to fall into this was the CEO of a well-known gadget clothing company. That one really surprised me. I wasn't about to ban or delete his account, though.

Given that this happened over four months ago, I hope there's now code in place to prevent passwords that are the same as user names. It seems like it should be a very simple change.

For what it's worth, I just tested this on my phpBB 2.x forum and nothing prevents user IDs and passwords from being identical, either. (I haven't tested phpBB 3.x.)

Steve
__________________
Silicon Valley Pocket PC
http://www.svpocketpc.com
 
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 02:51 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright Thoughts Media Inc. 2009