Announcement

Collapse
No announcement yet.

Hacking Multiple Accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacking Multiple Accounts

    Somewhat troubling issue. Multiple user accounts have been hacked on my forum, the individual used them to gain access to a hidden forum and began posting messages as multiple people with access to that forum-- the actual users are still able to access their accounts, so he didn't change the passwords but at least managed to get them somehow.

    By way of general taunting, he posted:

    I know that you're going on the assumption that no one would ever care enough to hack you, but that's not a good way to think. I'd never do more than... this, but someone might. People love to vandalize sites, and it's such a simple thing that you're leaving vulnerable. I know that it's user-friendliness vs. security, but I don't think it would be too inconveniencing to add a [flash] tag or something, and tell users how to use that, since the current way is just way to easily exploited. That it's been like this for years and you haven't been hacked is amazingly good luck.
    I don't quite understand the "[flash]" reference, so I wanted to run it by the experts as I tried to deal with things. It's possible these users simply used the same passwords on a Wiki and that got hacked (so far my own account and those of my mods have been untouched), but if it is a potential vB hole, I wanted to bring it up here.

    (Keeps posting links to gabbly.com, too, though I don't have any plug ins or anything like that installed on my vB.)

    I upgraded to vB 3.6.2 this past Saturday. These instances occurred last night.

    http://forums.longpatrolclub.com

  • #2
    If someone's password is known or guessed, there isn't much you can do to stop this.

    Please see this thread on how to make your vBulletin more secure:

    http://www.vbulletin.com/forum/showthread.php?t=172234
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Well, the thing that's troubling me is this person has gained access to three different accounts that don't seem to be connected aside from my forum (only two work on a Wiki together, so that's out). Their e-mails are from different servers, their hosts are different. They live in different areas of the country.

      One of his other taunts:

      (If I had your password, and it weren't a forum exploit, would I have access to several other accounts as well?)
      Now, normally I write people off as trying to pump up their accomplishments as more than they actually are, but the fact that he got into three accounts in the span of a few minutes is troubling and makes me wonder if there is a hole in vB somewhere.

      I don't really do anything fancy with my forum, just a simple non-hacked board for discussions. Quite frankly, I'm surprised they wanted in. Just looking for any suggestions... I've already done most of what was in the thread you linked.

      The only curious issue is that they went after "grunt" accounts rather than mine or one of my mods.

      Comment


      • #4
        To close the loop on this, I got the guy to talk some more (grabbed a fourth account) and he gave the following explanation:

        I placed a peice of javascript code that took the user's cookie info from document.cookie, encoded it, and sent it to a script on my server which decoded it and sent it to me. I then set my cookies to those values, which made the site recognize me as them.
        I did (foolishly) allow HTML in sigs until today. Hadn't had a problem with it in six years. So, I guess now I want to know-- does the explanation track? Does disabling HTML secure the rest of my site?

        Thanks.

        Comment


        • #5
          Yes, having HTML enabled in sigs could open you up to that kind of exploit.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X