Author Topic: SMF Login vulnerability: Change your passwords  (Read 21232 times)

I remember they posted a topic along the lines of "LOL this guy's password is mondayjew" or something
i've been told multiple times this actually meant "LOL i changed this guy's password to mondayjew" (but i wasn't around at the time so idk myself)

i've been told multiple times this actually meant "LOL i changed this guy's password to mondayjew" (but i wasn't around at the time so idk myself)
Problem is that we have no idea if that was actually the case, especially now. That inference was made off the basis that we knew how the attack was being carried out (it was assumed to be an issue with the password reset system being insecure), but Badspot has evidence showing that couldn't have been the entire case. So we're kinda back to the drawing board on that, it's actually possible the attacker figured out the original account password.

Badspot

  • Administrator
I remember they posted a topic along the lines of "LOL this guy's password is mondayjew" or something so I'm gonna guess #3 since they were able to see somebody's password in plaintext. Also maybe 'mondayjew' is a common password so who knows.
This also goes along with them being unable to log into Rotondo's account since it kept saying "username does not exist" for them.

It would be kind of a weird vulnerability to be able to dump the password and account id fields of the user table but not the username field.  I'm leaning towards #1 or #4.

It would be kind of a weird vulnerability to be able to dump the password and account id fields of the user table but not the username field.  I'm leaning towards #1 or #4.
Do the admins have a special log in window, or do they log in normally just like the rest of us? That might explain why they haven't attacked the admin accounts yet.

Badspot

  • Administrator
Do the admins have a special log in window, or do they log in normally just like the rest of us? That might explain why they haven't attacked the admin accounts yet.

To log in and post it's normal, to do some admin stuff you have to enter your password again.  But I also have a long password that I only use on this site, so I would be immune from most external data leaks and resistant to offline cracking of a dumped hash.

Hello does anyone know the way to San Blockland forums? I think I'm lost.
I'm so glad the forums are better.
« Last Edit: July 12, 2018, 08:56:39 PM by Black and White »

Thank you badspot for updating the forums, I like the new look.  Also, thanks for fixing stuff that we break.  <3

is there any way I can get my forum account privileges back? I wanna change my pass/take advantage of the new forum settings but can't :(

is there any way I can get my forum account privileges back? I wanna change my pass/take advantage of the new forum settings but can't :(
Haven't you been having this issue for like 6 years?

Badspot

  • Administrator
Everyone should change their password if they have not done so since the update.  You should use a unique password just for this website.  If you used the same password for other sites, you should change your password on those other sites as well. 

SMF does not have a way to force everyone to reset their password.  It also does not hash passwords correctly or understand the concept of a salt.  To mitigate the problem of old accounts being compromised, I have reset the email activation status of every account that has not made a post within the past 6 months. 

Everyone should change their password if they have not done so since the update.  You should use a unique password just for this website.  If you used the same password for other sites, you should change your password on those other sites as well. 

SMF does not have a way to force everyone to reset their password.  It also does not hash passwords correctly or understand the concept of a salt.  To mitigate the problem of old accounts being compromised, I have reset the email activation status of every account that has not made a post within the past 6 months. 
Doesn't SMF have a MotD feature? Maybe put this warning up there for a little while so everyone is guaranteed to get the memo.

Everyone should change their password if they have not done so since the update.  You should use a unique password just for this website.  If you used the same password for other sites, you should change your password on those other sites as well. 

SMF does not have a way to force everyone to reset their password.  It also does not hash passwords correctly or understand the concept of a salt.  To mitigate the problem of old accounts being compromised, I have reset the email activation status of every account that has not made a post within the past 6 months.
Damn, does it really not salt hashed passwords? SMF is worse than I thought.


i cant change my password because i lost the privilege to edit my profile.

i cant change my password because i lost the privilege to edit my profile.
LOL thats a bit of an oversight