Author Topic: Aurora Forum Security Issue & General Hello  (Read 2626 times)

0 Members and 1 Guest are viewing this topic.

Offline Ash88 (OP)

  • Able Ordinary Rate
  • A
  • Posts: 2
Aurora Forum Security Issue & General Hello
« on: July 23, 2014, 09:22:27 AM »
Greetings!

I've just arrived on the forums.   Hellos all around.   My First game resulted in all of my survey ships running out of fuel and an error popup after every "turn" . . .  so I figured I would come here and learn.

During the forum registration process I was sent an email with my email address, my username, and my password.  This is all that anyone needs to log in to these forums and spam, post false links, and cause all kinds of mischief using my credentials.  It would be trivial to set up a program that would automatically mine this data off of in-transit messages on any of the servers it traveled through to get to me.  There are huge databases of credentials that are mined off of emails like this every minute of every day.

I'm not suggesting that anyone would bother targeting the Aurora forums for such mischievousness, but the sad truth is that these types of annoyances are because of the opportunity; they "hack" the website because they see that they can - not because they are targeting it specifically.

Also - most people have the unfortunate habit of using the same email / username / and password on multiple sites.  Using the credential from this email I could automate the process of trying these credentials on thousands of sites - including sensitive sites like banking institutions.  Granted that it is the users responsibility to ensure they use common sense and don't use the same password on multiple sites, but even still it would be so simple to help protect the stupid among us (or those who are merely having a stupid moment in using the same password on multiple sites).

May I humbly suggest to the forum administrators that they don't include the password in the Welcome message.   It isn't really needed - as it can be reset if forgotten - and it is a simple matter of deleting that one line from the message template sent out to new users.

On a related note: to any readers who are thinking, "oh smeg - I use the same password everywhere": I suggest you look in to a product like LastPass which makes managing different passwords on every site more manageable.   There are lots of other great solutions out there, and no solution is perfect.  If you do end up using Lastpass (versus one of the other great password management systems) it would be swell if you gave me a free month by using this referral link to set up your account: https://lastpass. com/f?3221446

Kind Regards,
 

Offline Erik L

  • Administrator
  • Admiral of the Fleet
  • *****
  • Posts: 5654
  • Thanked: 366 times
  • Forum Admin
  • Discord Username: icehawke
  • 2020 Supporter 2020 Supporter : Donate for 2020
    2022 Supporter 2022 Supporter : Donate for 2022
    Gold Supporter Gold Supporter : Support the forums with a Gold subscription
    2021 Supporter 2021 Supporter : Donate for 2021
Re: Aurora Forum Security Issue & General Hello
« Reply #1 on: July 23, 2014, 10:06:13 AM »
There's no easy way to modify the email templates without digging into the files. There is an add-on that does that, but it is for the 2.x line and these boards are still on the 1.x line.
 

Offline Ash88 (OP)

  • Able Ordinary Rate
  • A
  • Posts: 2
Re: Aurora Forum Security Issue & General Hello
« Reply #2 on: July 23, 2014, 10:34:10 AM »
Hey Erik!

If you give me the name and exact version number of the forum software you use I will happily go download it, dive into the files and see what needs to be done, and then send you a copy of the edited files.

Cheers!
 

Offline Erik L

  • Administrator
  • Admiral of the Fleet
  • *****
  • Posts: 5654
  • Thanked: 366 times
  • Forum Admin
  • Discord Username: icehawke
  • 2020 Supporter 2020 Supporter : Donate for 2020
    2022 Supporter 2022 Supporter : Donate for 2022
    Gold Supporter Gold Supporter : Support the forums with a Gold subscription
    2021 Supporter 2021 Supporter : Donate for 2021
Re: Aurora Forum Security Issue & General Hello
« Reply #3 on: July 23, 2014, 10:36:55 AM »
I'd be able to do it, except my work network restricts some access I need (ftp). So it'll just have to wait until I get home tonight. :)