Author Topic: SMF Login vulnerability: Change your passwords  (Read 5717 times)

According to Tony:

you can lock your own drama topic.

This is bad.

According to Tony:

This is bad.
lord tony is spewing bullstuff - he first said you can't mute people's posts and that you can lock dramas, neither of which are true

lord tony is spewing bullstuff - he first said you can't mute people's posts and that you can lock dramas, neither of which are true
noob-tier trolling



i hate that topic titles don't show above every post anymore cause ill be looking at posts a lot and forget what topic it was

i hate that topic titles don't show above every post anymore cause ill be looking at posts a lot and forget what topic it was

???


???
sometimes it in the middle of like idk 30 tabs and its hard to see/find clearly/easily

Also, it was more convenient to just have it on top of every post just as a quick reminder

sometimes it in the middle of like idk 30 tabs and its hard to see/find clearly/easily

(mouse pointer invisible)


Badspot

  • Administrator
I just discovered a few accounts with suspicious log ins.  There are likely more. 

Here are the possibilities:

1. A data leak from another site provided attacker with exact passwords for these accounts.  Phishing is unlikely due to age of the accounts, but data dumps like this happen all the time and people don't always use different passwords for each site like they should.

2. Accounts were compromised more than two months ago (the age of the user table backup that I restored after the forum upgrade), passwords were changed, and the attacker is very patient

3. A vulnerability at some point allowed an attacker to dump the crapily hashed smf password table for offline cracking.  Easy passwords get cracked first, hence the target-of-opportunity style attacks. 

4. An unknown login vulnerability on the forum still exists, but requires some special conditions so they can't just log into my account and wreck the place (else they would do it).



I remember they posted a topic along the lines of "LOL this guy's password is mondayjew" or something so I'm gonna guess #3 since they were able to see somebody's password in plaintext. Also maybe 'mondayjew' is a common password so who knows.
This also goes along with them being unable to log into Rotondo's account since it kept saying "username does not exist" for them.

Were the passwords of the accounts hijacked simple? Easy to crack? If they were it might rule some stuff out.