Author

Topic: mass password reminder requests occuring right now (Read 692 times)

legendary
Activity: 1672
Merit: 1010
It looks like he was trying to spam a bunch of people. Annoying. There was already a rate limit per IP, but he was using multiple IPs. I added a CAPTCHA to that page. I also invalidated all of the reset codes that were generated just to be safe.

There wasn't any burst of actually-reset accounts. I don't see any possible security problems here. In particular, I long ago strengthened the way that reset codes are generated. It's not possible for attackers to guess or brute-force reset codes.

thanks, good to know forum is secure, it was random i happened to look at that page earlier and saw all that and had me wondering what the hell was happening Cheesy

administrator
Activity: 5222
Merit: 13032
It looks like he was trying to spam a bunch of people. Annoying. There was already a rate limit per IP, but he was using multiple IPs. I added a CAPTCHA to that page. I also invalidated all of the reset codes that were generated just to be safe.

There wasn't any burst of actually-reset accounts. I don't see any possible security problems here. In particular, I long ago strengthened the way that reset codes are generated. It's not possible for attackers to guess or brute-force reset codes.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
Thanks Cyrus...

I think it will be hard to block this. This is obviously done by a script or bot so anything that could be done to prevent that can be circumvented. Captcha, IP, Timeouts... a bot does not need to care.

The only thing that is stupid by the hacker is that he is noticeable. Though even then, what could theymos do? Block account access? The hacker already got access by owning or accessing the account email. Don't know how this could be dealt with.

Besides that... I fear it is effective. I always wondered why it happens so often that accounts get hacked. Phising sites are rather seldom though maybe this attempt here works better.
member
Activity: 98
Merit: 10
★YoBit.Net★ 350+ Coins Exchange & Dice
This kind of stuff would make me really nervous if I was doing a lot of business here.
Almost thinking about changing my password more often but I see there are drawbacks to that as well.
Good thing they do not know my grandmas dogs name of his favorite sex toy or I would have been hacked by now. Lips sealed
sr. member
Activity: 249
Merit: 250
One solution would be to place a captcha on the form of password reminder to stop the massive requests.
That is a partly solution, because the could pay a captcha service to solve these captcha's automatically.

Yes, but they could already be doing business even without need to offer a service to complete captchas.
legendary
Activity: 1232
Merit: 1017
One solution would be to place a captcha on the form of password reminder to stop the massive requests.
That is a partly solution, because the could pay a captcha service to solve these captcha's automatically.
sr. member
Activity: 249
Merit: 250
One solution would be to place a captcha on the form of password reminder to stop the massive requests.
administrator
Activity: 3934
Merit: 3143
I've informed theymos about it.
legendary
Activity: 1526
Merit: 1001
It's not the first time, i have seen this many time in the past (past months) maybe it's a brute force, I doubt users requests so often to reset their password.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
I was told reporting such post like the OP wrote is the fastest way to inform moderators and staff. I mentioned what it is about.

It might be that ip-bans doesn't work here. I know that hackers mostly would use a big list of free proxies or such to achieve such tasks.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Looks like a brute-force attack. Maybe theymos did not limit the number of requests.
copper member
Activity: 924
Merit: 1007
hee-ho.
probably just some guy hoping that the password reset emails will get to the email accounts that they created. some users use invalid email accounts that can be created easily (@gmail, @yahoo, etc)
legendary
Activity: 1672
Merit: 1010
So whats going here? Shocked

https://bitcointalk.org/index.php?action=who



someone is mass requesting password reminders over the last hour?  Is any steps being taken to block this person and compromised accounts?
Jump to: