mass password reminder requests occuring right now

digit

legendary

Activity: 1672

Merit: 1010

Quote from: theymos on March 22, 2016, 11:39:28 PM

It looks like he was trying to spam a bunch of people. Annoying. There was already a rate limit per IP, but he was using multiple IPs. I added a CAPTCHA to that page. I also invalidated all of the reset codes that were generated just to be safe.

There wasn't any burst of actually-reset accounts. I don't see any possible security problems here. In particular, I long ago strengthened the way that reset codes are generated. It's not possible for attackers to guess or brute-force reset codes.

thanks, good to know forum is secure, it was random i happened to look at that page earlier and saw all that and had me wondering what the hell was happening Cheesy

theymos

administrator

Activity: 5166

Merit: 12850

It looks like he was trying to spam a bunch of people. Annoying. There was already a rate limit per IP, but he was using multiple IPs. I added a CAPTCHA to that page. I also invalidated all of the reset codes that were generated just to be safe.

There wasn't any burst of actually-reset accounts. I don't see any possible security problems here. In particular, I long ago strengthened the way that reset codes are generated. It's not possible for attackers to guess or brute-force reset codes.

SebastianJu

legendary

Activity: 2674

Merit: 1082

Legendary Escrow Service - Tip Jar in Profile

Thanks Cyrus...

I think it will be hard to block this. This is obviously done by a script or bot so anything that could be done to prevent that can be circumvented. Captcha, IP, Timeouts... a bot does not need to care.

The only thing that is stupid by the hacker is that he is noticeable. Though even then, what could theymos do? Block account access? The hacker already got access by owning or accessing the account email. Don't know how this could be dealt with.

Besides that... I fear it is effective. I always wondered why it happens so often that accounts get hacked. Phising sites are rather seldom though maybe this attempt here works better.

Zeke2345

member

Activity: 98

Merit: 10

★YoBit.Net★ 350+ Coins Exchange & Dice

This kind of stuff would make me really nervous if I was doing a lot of business here.
Almost thinking about changing my password more often but I see there are drawbacks to that as well.
Good thing they do not know my grandmas dogs name of his favorite sex toy or I would have been hacked by now. Lips sealed

Freddynic159

sr. member

Activity: 249

Merit: 250

Quote from: FruitsBasket on March 22, 2016, 06:51:14 PM

Quote from: Freddynic159 on March 22, 2016, 06:49:01 PM

One solution would be to place a captcha on the form of password reminder to stop the massive requests.

That is a partly solution, because the could pay a captcha service to solve these captcha's automatically.

Yes, but they could already be doing business even without need to offer a service to complete captchas.

FruitsBasket

legendary

Activity: 1232

Merit: 1017

Quote from: Freddynic159 on March 22, 2016, 06:49:01 PM

One solution would be to place a captcha on the form of password reminder to stop the massive requests.

That is a partly solution, because the could pay a captcha service to solve these captcha's automatically.

Freddynic159

sr. member

Activity: 249

Merit: 250

One solution would be to place a captcha on the form of password reminder to stop the massive requests.

Cyrus

administrator

Activity: 3738

Merit: 2948

I've informed theymos about it.

n691309

legendary

Activity: 1526

Merit: 1001

It's not the first time, i have seen this many time in the past (past months) maybe it's a brute force, I doubt users requests so often to reset their password.

SebastianJu

legendary

Activity: 2674

Merit: 1082

Legendary Escrow Service - Tip Jar in Profile

I was told reporting such post like the OP wrote is the fastest way to inform moderators and staff. I mentioned what it is about.

It might be that ip-bans doesn't work here. I know that hackers mostly would use a big list of free proxies or such to achieve such tasks.

shorena

copper member

Activity: 1498

Merit: 1499

No I dont escrow anymore.

Looks like a brute-force attack. Maybe theymos did not limit the number of requests.

--Encrypted--

copper member

Activity: 924

Merit: 1007

hee-ho.

probably just some guy hoping that the password reset emails will get to the email accounts that they created. some users use invalid email accounts that can be created easily (@gmail, @yahoo, etc)

digit

legendary

Activity: 1672

Merit: 1010

So whats going here? Shocked

https://bitcointalk.org/index.php?action=who

someone is mass requesting password reminders over the last hour? Is any steps being taken to block this person and compromised accounts?

Topic: mass password reminder requests occuring right now (Read 671 times)