forum exploit?

[MGSteve]

OMG, I can't believe this has been going on for so long and Jelsoft have done NOTHING to block this obvious security hole.

http://forums.thoughtsmedia.com/f21/...ers-90129.html

That's from January 2008.

All it would take is a simple check when someone enters a password and reject it if its the same as their username.

[MGSteve]

Just logged a bug report about it - at least they'll be aware of it now.

http://www.vbulletin.com/forum/proje...?issueid=26116

[peterska2]

As has already been said, suggestions need to be made in the suggestions forum. Suggestions made in the support forums are not seen by the developers.

[Joe Siegler]

As has already been said, suggestions need to be made in the suggestions forum. Suggestions made in the support forums are not seen by the developers.

This should not be considered a "suggestion", but a problem that needs to be "patched", "fixed", whatever. The fact that Jelsoft cannot or will not see that is a problem.

It's the same kind of nonsense that casued me to leave Infopop and ubb.threads for vBulletin in the first place. Don't do that.

[MGSteve]

As has already been said, suggestions need to be made in the suggestions forum. Suggestions made in the support forums are not seen by the developers.

Well, I trust you can either move this thread or let the developers know then!

Its also NOT a suggestion, its a fix required to plug a security hole.

[Wayne Luke]

Using the same values for username and password is arguably not a security hole nor an exploit. It is a design flaw that could be corrected.

Definitions aside, you have already posted this as a bug issue and any further developer comment will be made in that issue. As such there is no reason to move this.

http://www.vbulletin.com/forum/proje...?issueid=26116

[Shaolyen]

Using the same values for username and password is arguably not a security hole nor an exploit. It is a design flaw that could be corrected.

With all due respect, a design flaw that can result in hundreds or even thousands of hijacked user accounts is certainly something I'd consider a security issue.

In lieu of an official fix from the vB development team, I've released a stopgap solution here: http://www.vbulletin.org/forum/showthread.php?t=187980

It does the following:

• Prevents users from registering with weak passwords (where the password equals the username, a lowercase version of the username, or any match from a custom banned list).
• Prevents users from changing to a weak password after registration.
• Provides the administrator with a password scanning utility, allowing them to find users with weak passwords, replace those passwords, and notify the users via email.

At some point in the near future I might code a more elegant solution, but until then this should solve the problem.

[MGSteve]

You're a star m8, thank you.

At least we can rely on other VB users even if Jelsoft don't see such a problem as anything but a problem.

Almost seems to be that they don't care if forums get their member's accounts hijacked and thousands of PMs get sent to the members with links to Porn and Viruses.

I bet if it had happened on their own forum, the fix would have been in there overnight.

[Joe Siegler]

I bet if it had happened on their own forum, the fix would have been in there overnight.

Exactly my thought. While I would never advocate anything like that, I wonder how many accounts on this board are "wide open" like that.

[Wayne Luke]

As stated in the Bug Issue, a fix has already been submitted so that it can be reviewed by senior developers.

[Shaolyen]

As stated in the Bug Issue, a fix has already been submitted so that it can be reviewed by senior developers.

Do you know if the fix is retroactive?

[Wayne Luke]

At this point, I know what you know. That is what is posted in the issue report. It does say:

Some code have been submitted for the rest of the developers to review... A new option is to be introduced, for administrator to allow / disallow password being the same as the username. If this is enabled, users will be forced to change their password in order to continue -- think password expired.

Bold is for emphasis.

Whether it will be in the 3.7.3 maintenance release at the end of the month would be for Kier to decide.

[Jobe1986]

To be honest, I see this as less of a vBulletin exploit, and more of a "user's stupidity" exploit. In the same way as shouting out "hey every, here's my password"

[Joe Siegler]

To be honest, I see this as less of a vBulletin exploit, and more of a "user's stupidity" exploit. In the same way as shouting out "hey every, here's my password"

Agreed completely. However, the software shouldn't have allowed it in the first place, hence the exploit.

[Jobe1986]

Just because the forum allows it does not mean its an exploit in the forum. It only means the user was not educated enough to know how to pick a secure password.

It's the same as using your real name as your password. If someone finds out your real name they find out your password. There's no way for the forum to prevent that. And then there's the case of your computer getting infected with a key logger, which effectively equates to the same as using your user name as your password, because the attacker then knows it anyway. Again the forum can't stop key logging, does that mean it's therefore the forum that's at fault?

At the end of the day there is nothing vBulletin can do to prevent the end users own stupidity. Sure adding the check against user name is one step, but in all honesty, it should be part of a bigger feature allowing various password complexity options such as min length, mixed case, must include numbers, must include punctuation, cannot include a chracter repeated more then once sequentially, etc....

It is hard for admin's to get the right balance between complexity of passwords and security. Too complex and users resort to writing them down, not complex enough and users end up using painfully simple passwords that can be guessed. It's really a case of what suits your users best and still remains secure.