Topic: Major Flaw in Security - page 3. (Read 5424 times)
Bitcointalk's account security is a joke. I received '0' emails about my account creation details
I just started a thread outlining another security concern: https://bitcointalksearch.org/topic/attention-theymos-does-bitcointalk-now-have-a-threatening-security-issue-832742
Will take a look now. Theymos, this issue and Phinneaus Gage's (Gleb Gamow's) needs to be fixed (even if it is temporary) asap, please!
I just started a thread outlining another security concern: https://bitcointalksearch.org/topic/attention-theymos-does-bitcointalk-now-have-a-threatening-security-issue-832742
This just recently came to my attention.
How is it that an account's email can be changed without verification from said email? Likewise with password changing..
This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)
This should be implemented to prevent hackers from gaining full access to the account. However, some people don't use a real address to register or use temporary email to register a account. The forum don't send email verification to activate your account, most people don't bother to use an actual email. If they need to change email or password, they would have a hardtime.How is it that an account's email can be changed without verification from said email? Likewise with password changing..
This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)
Then force users to use actual email addresses, problem solved.
This just recently came to my attention.
How is it that an account's email can be changed without verification from said email? Likewise with password changing..
This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)
This should be implemented to prevent hackers from gaining full access to the account. However, some people don't use a real address to register or use temporary email to register a account. The forum don't send email verification to activate your account, most people don't bother to use an actual email. If they need to change email or password, they would have a hardtime. How is it that an account's email can be changed without verification from said email? Likewise with password changing..
This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)
It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does 
). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.
). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.
Layout, avatars and performance can come at a later date. Security needs to come tomorrow.
Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).
At the moment, there's no email verification required to change an account's email; anyone with the password can change the email to anything they choose, with no confirmation required. Regaining control of an account would require the same manual process, but email verification would make it more difficult for accounts to be stolen in the first place by requiring confirmation from the second factor before allowing it (and consequently, the way for the original owner to reset the account's password) to be changed.
So long as there are no vulnerabilities in the email confirmation system (which should be easy enough to secure; it's a common practice for many sites, and relatively simple to implement) then the only disadvantage will be to the people buying and selling accounts, who will have to add another step to their process.
It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.
). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.
Layout, avatars and performance can come at a later date. Security needs to come tomorrow.
Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).
It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.
). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.
Layout, avatars and performance can come at a later date. Security needs to come tomorrow.
Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).
It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.
). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.
Layout, avatars and performance can come at a later date. Security needs to come tomorrow.
It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.
). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.
This just recently came to my attention.
How is it that an account's email can be changed without verification from said email? Likewise with password changing..
This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)
How is it that an account's email can be changed without verification from said email? Likewise with password changing..
This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)
Jump to: