XF 1.5 After bad password attempts & account lock. User can change ip and continue trying to login.

Tim Jay

Active member
I just found out some people are cracking some of my forum member accounts.

I just bought Password Requirements from @Liam W

But when a user resets a password it's super easy and doesn't require email confirmation or anything.

Anyone have ideas?
 
Last edited:
Why is it so easy for me to change password and email address without ANY sort of email confirmation?

Assuming I just have the password.

That's not secure at all.

_


"CAPTCHAs help prevent spammers from registering or posting."

Why not from logging in?
 
Last edited:
What version of XF are you running? Actually that doesn't particularly matter...

Before XF 1.5 a new password was emailed to the account holder. From XF 1.5 a confirmation email is emailed to the user which must be clicked before being allowed to change your password.

If the process is different to what I have described then it's likely an add on or similar which is changing the behaviour.
 
I did test change an email address the normal way and there is no email confirmation. All you need to know is the current password and the account can be yours.

_

as far as the brute forcing, it would be awesome to get a captcha on the login and at least make it a little tougher.
 
Last edited:
We do show a CAPTCHA after a number of failed log in attempts.

Fair enough, even if they change their ip? Someone cracked a large number of previously inactive accounts on my forum about an hour ago. They must have access to a lot of proxies and they're using a software that people are starting to figure out.

I just tested out changing my password using the form that XenForo provides themselves. There's was ZERO email confirmation and the password is successfully changed.
So the addon isn't at fault and in fact uses the default xenforo reset.

I doubt my site is the only xenforo forum at risk.
 
Ok, looks like there is at least an email confirmation when you attempt to change the email.

Thank God, I was starting to freak out.

--

scratch that... it sends an email confirmation to the NEW EMAIL ADDRESS.

it simply says to the old email: "hey your email was changed"

This is a huge security risk.
 
There are no emails sent out other than the:

"Your password at Forum was recently changed. If you made this change, you may ignore this message.
If you did not request this change, please use the lost password process to generate a new password. If you are unable to do this, please contact an administrator."

__

If I change the email it literally sends a confirmation to the NEW email that I am changing to. In any scenario the hacker would be able to confirm whatever email he likes.

The previous email address gets a lovely acknowledgement about it though.

"Your email at Forum was recently changed to HACKER123@gmail.com. If you made this change, you may ignore this message.
If you did not request this change, please log in and change your password and email address. If you are unable to do this, please contact an administrator."
 
If you have people brute forcing your user's accounts then your problems begin there.

Your users need to be using secure passwords and 2factor authentication.

Also review settings such as account lock out settings etc.
 
If you have people brute forcing your user's accounts then your problems begin there.

Your users need to be using secure passwords and 2factor authentication.

I agree, most of the accounts were inactive and probably have very weak passwords.

Setting that aside, how is it not a security risk? Rarely can you completely take over an account this easily with JUST a username / password.

I would like to imagine that at least there's a second line of defense with the email account under the account.

_

I tested this all out in the last hour or two and have to say I'm very disappointed..
  • Resetting an account password requires no email confirmation.
  • Changing an account email address requires no confirmation from the already ESTABLISHED / CONFIRMED email under the forum account.
A malicious person can take over your account with just a password.

_

I can force a password reset but that's just gonna save the cracker some time because he doesn't need access to your email.
 
I tested this all out in the last hour or two and have to say I'm very disappointed..
  • Resetting an account password requires no email confirmation.
  • Changing an account email address requires no confirmation from the already ESTABLISHED / CONFIRMED email under the forum account.
A malicious person can take over your account with just a password.


This really is no different to other services. Twitter requires no email confirmation for a password change, it only sends an email to say that the password has already been changed. As for a change of email address, Twitter sends the confirmation to the NEW email address, not the old one.
 
Also review settings such as account lock out settings etc.

What lock out settings? I see a couple of options that wouldn't really help at all.

This really is no different to other services. Twitter requires no email confirmation for a password change, it only sends an email to say that the password has already been changed. As for a change of email address, Twitter sends the confirmation to the NEW email address, not the old one.

Then Twitter is at risk as well.

I'm trying to warn the devs about this because all forums are at risk.
OBVIOUSLY not if they have great passwords, but sometimes it's a little too late for that.
And obviously not gonna be a big deal with sites that don't have thousands of members.

--

I'm asking for what could be done to mitigate damage or to not let it be so easy for the accounts to be taken over.
Here are some ideas:

Captcha on the LOGIN page
xfctocD.png


Confirm with the ESTABLISHED email address whether password or email can be changed.

Lock out account COMPLETELY, not just after 5 attempts. Changing ip address gets around the lock out immediately. Some malicious users have an unlimited supply of ip addresses.

Forcing a password reset doesn't help anything since password change requires no sort of email confirmation.
 
If you're really that concerned then there is a solution already. 2 factor authentication. Enable the "Require two-step verification" for all users. It's the only real secure solution.
 
If you're really that concerned then there is a solution already. 2 factor authentication. Enable the "Require two-step verification" for all users. It's the only real secure solution.

Thanks, that's probably the best advice I've had all day.

I overlooked that when 1.5 came out and didn't realize it could be forced like that.

-

Just letting devs know that it's super easy to get around this 2step verification.

Let's say I enable Email two-step. Ok "SENDING EMAIL TO TIMJAY at gmail.com".
Right after that I went under my settings and changed the account email address.
 
I tested this all out in the last hour or two and have to say I'm very disappointed..
  • Resetting an account password requires no email confirmation.
From XF 1.5 a confirmation email is emailed to the user which must be clicked before being allowed to change your password.

You're saying that Chris is wrong, and on a default XF current version install without any add-ons a confirmation email with click requirement is not the process?

  • Changing an account email address requires no confirmation from the already ESTABLISHED / CONFIRMED email under the forum account.
A malicious person can take over your account with just a password.
In the majority of cases, a user wants to change an email address because they no longer have access to the old/current email address. Sending an email confirmation to an old/current address would only stop the user from being able to do so.
 
You're saying that Chris is wrong, and on a default XF current version install without any add-ons a confirmation email with click requirement is not the process?
I believe we might have been talking about different things.

I was talking about triggering a password reset from the lost password form. I believe Tim Jay was talking about changing the password from the password page in the "Account" page.
 
Top Bottom