Announcement

Collapse
No announcement yet.

Security - Prevent Simultaneous Logins into the same account

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Security - Prevent Simultaneous Logins into the same account

    Script kiddies at my forum use a trick where they get members to click on external links. At these external sites, they use XSS to steal the forum cookies. They then log in as those users on the forums, effectively stealing the account.

    They've done this several times, and the latest time -- it was me, the admin of the board. I, and a hacker were both logged into my account. While browsing the board - I saw a post by me that was not made by me.

    There needs to be some fix for this. How can the sessions be made more secure to prevent stealing, or, is there a way to prevent multiple logins on the same username simultaneously? I need a quick fix!
    Tags: None
  • #2
    But then if we did this and the hacker logged in when you were offline, how do you get online?

    Comment

    • #3
      That's a good point. But how else can I stop this? They are using external XSS - and disguising every link. Even if the mod staff is careful, it's going to happen.

      Perhaps if someone logs into an already logged in account, reset both cookies?

      Comment

      • #4
        You could disable bbcode in sigantures which would prevent img code and the url tag as well.

        Comment

        • #5
          What about the URL tag in Posts, then?

          Nice

          What I'm saying is that this kind of thing is inevitable, is there any way to make the session more secure?
          Last edited by mxtabs; Mon 19 Jun '06, 9:27pm.

          Comment

          • #6
            Actually, simply clicking on a link shouldn't do anything, as browsers generally only allow access to the cookies from the same domain.
            Best Regards
            Colin Frei

            Please don't contact me per PM.

            Comment

            • #7
              But it does - the hacking is real. Once again, is there any way to make the sessions more secure?

              Comment

              • #8
                What does one of these links look like exactly?

                Right now, there is no way to restrict a session to a single IP address and with the non-state nature of the World Wide Web, it would make things very difficult for a lot of people if such technology was implemented. How many of your users have AOL as their provider? They would no longer be able to access your board. Same for some other large ISPs.

                Stopping the behavior is the bet method of securing your site.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API

                Comment

                • #9
                  We delete all of the links but I will try to find an example for you.

                  The problem is that we can't stop the behavior - they are all 15 year olds that won't listen and return after repeated bannings.

                  Comment

                  • #10
                    I would suggest upgrading to 3.5.4. There is also a plugin at vBulletin.org where you can restrict users from posting links after a specified amount of posts. I looked for it but couldn't find it, though maybe someone there knows the exact link for it.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • #11
                      Here is an example post:

                      News, stories and the latest infos on

                      www.party-fever.info.com


                      A link:

                      http://rload.dajoob.com/rpp.php?c=bb...bblastactivity =0;%20bbuserid=228924;%20bbpassword=7c1b2a7333d6b8 b67c7a4a7cdbbc99da;%20bbsessionhash=a6cee001fde98e 39be7ed2ab4ca0d999;%20style=light;%20__utmz=147996 917.1148851107.5.2.utmccn=(referral)|utmcsr=ca.f88 2.mail.yahoo.com|utmcct=/ym/ShowLetter|utmcmd=referral;%20__utma=147996917.691 403878.1147054200.1150745180.1150756953.13;%20__ut mb=147996917;%20__utmc=147996917
                      Last edited by mxtabs; Tue 20 Jun '06, 11:16am.

                      Comment

                      • #12
                        Can you edit that post and see what the code behind it is?
                        There's not really any way that this could include the actual variables.
                        Best Regards
                        Colin Frei

                        Please don't contact me per PM.

                        Comment

                        Previous template Next
                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X