1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 After bad password attempts & account lock. User can change ip and continue trying to login.

Discussion in 'Troubleshooting and Problems' started by Tim Jay, Oct 30, 2015.

  1. Tim Jay

    Tim Jay Active Member

    I just found out some people are cracking some of my forum member accounts.

    I just bought Password Requirements from @Liam W

    But when a user resets a password it's super easy and doesn't require email confirmation or anything.

    Anyone have ideas?
    Last edited: Oct 30, 2015
  2. Tim Jay

    Tim Jay Active Member

    Why is it so easy for me to change password and email address without ANY sort of email confirmation?

    Assuming I just have the password.

    That's not secure at all.


    "CAPTCHAs help prevent spammers from registering or posting."

    Why not from logging in?
    Last edited: Oct 30, 2015
  3. Chris D

    Chris D XenForo Developer Staff Member

    What version of XF are you running? Actually that doesn't particularly matter...

    Before XF 1.5 a new password was emailed to the account holder. From XF 1.5 a confirmation email is emailed to the user which must be clicked before being allowed to change your password.

    If the process is different to what I have described then it's likely an add on or similar which is changing the behaviour.
  4. Tim Jay

    Tim Jay Active Member

    I did test change an email address the normal way and there is no email confirmation. All you need to know is the current password and the account can be yours.


    as far as the brute forcing, it would be awesome to get a captcha on the login and at least make it a little tougher.
    Last edited: Oct 30, 2015
  5. Chris D

    Chris D XenForo Developer Staff Member

    We do show a CAPTCHA after a number of failed log in attempts.
  6. Tim Jay

    Tim Jay Active Member

    Fair enough, even if they change their ip? Someone cracked a large number of previously inactive accounts on my forum about an hour ago. They must have access to a lot of proxies and they're using a software that people are starting to figure out.

    I just tested out changing my password using the form that XenForo provides themselves. There's was ZERO email confirmation and the password is successfully changed.
    So the addon isn't at fault and in fact uses the default xenforo reset.

    I doubt my site is the only xenforo forum at risk.
  7. Tim Jay

    Tim Jay Active Member

    Ok, looks like there is at least an email confirmation when you attempt to change the email.

    Thank God, I was starting to freak out.


    scratch that... it sends an email confirmation to the NEW EMAIL ADDRESS.

    it simply says to the old email: "hey your email was changed"

    This is a huge security risk.
  8. Tim Jay

    Tim Jay Active Member

    There are no emails sent out other than the:

    "Your password at Forum was recently changed. If you made this change, you may ignore this message.
    If you did not request this change, please use the lost password process to generate a new password. If you are unable to do this, please contact an administrator."


    If I change the email it literally sends a confirmation to the NEW email that I am changing to. In any scenario the hacker would be able to confirm whatever email he likes.

    The previous email address gets a lovely acknowledgement about it though.

    "Your email at Forum was recently changed to HACKER123@gmail.com. If you made this change, you may ignore this message.
    If you did not request this change, please log in and change your password and email address. If you are unable to do this, please contact an administrator."
  9. Chris D

    Chris D XenForo Developer Staff Member

    If you have people brute forcing your user's accounts then your problems begin there.

    Your users need to be using secure passwords and 2factor authentication.

    Also review settings such as account lock out settings etc.
  10. Tim Jay

    Tim Jay Active Member

    I agree, most of the accounts were inactive and probably have very weak passwords.

    Setting that aside, how is it not a security risk? Rarely can you completely take over an account this easily with JUST a username / password.

    I would like to imagine that at least there's a second line of defense with the email account under the account.


    I tested this all out in the last hour or two and have to say I'm very disappointed..
    • Resetting an account password requires no email confirmation.
    • Changing an account email address requires no confirmation from the already ESTABLISHED / CONFIRMED email under the forum account.
    A malicious person can take over your account with just a password.


    I can force a password reset but that's just gonna save the cracker some time because he doesn't need access to your email.
  11. Martok

    Martok Well-Known Member

    This really is no different to other services. Twitter requires no email confirmation for a password change, it only sends an email to say that the password has already been changed. As for a change of email address, Twitter sends the confirmation to the NEW email address, not the old one.
  12. Tim Jay

    Tim Jay Active Member

    What lock out settings? I see a couple of options that wouldn't really help at all.

    Then Twitter is at risk as well.

    I'm trying to warn the devs about this because all forums are at risk.
    OBVIOUSLY not if they have great passwords, but sometimes it's a little too late for that.
    And obviously not gonna be a big deal with sites that don't have thousands of members.


    I'm asking for what could be done to mitigate damage or to not let it be so easy for the accounts to be taken over.
    Here are some ideas:

    Captcha on the LOGIN page

    Confirm with the ESTABLISHED email address whether password or email can be changed.

    Lock out account COMPLETELY, not just after 5 attempts. Changing ip address gets around the lock out immediately. Some malicious users have an unlimited supply of ip addresses.

    Forcing a password reset doesn't help anything since password change requires no sort of email confirmation.
  13. Martok

    Martok Well-Known Member

    If you're really that concerned then there is a solution already. 2 factor authentication. Enable the "Require two-step verification" for all users. It's the only real secure solution.
    Tim Jay likes this.
  14. Tim Jay

    Tim Jay Active Member

    Thanks, that's probably the best advice I've had all day.

    I overlooked that when 1.5 came out and didn't realize it could be forced like that.


    Just letting devs know that it's super easy to get around this 2step verification.

    Let's say I enable Email two-step. Ok "SENDING EMAIL TO TIMJAY at gmail.com".
    Right after that I went under my settings and changed the account email address.
  15. Mouth

    Mouth Well-Known Member

    You're saying that Chris is wrong, and on a default XF current version install without any add-ons a confirmation email with click requirement is not the process?

    In the majority of cases, a user wants to change an email address because they no longer have access to the old/current email address. Sending an email confirmation to an old/current address would only stop the user from being able to do so.
  16. Chris D

    Chris D XenForo Developer Staff Member

    I believe we might have been talking about different things.

    I was talking about triggering a password reset from the lost password form. I believe Tim Jay was talking about changing the password from the password page in the "Account" page.
  17. HWS

    HWS Well-Known Member

    Uninstall this and your XF will be secure again and work as it should.

Share This Page