Security Concern - Email Received

xrunner · November 07, 2013, 12:25:14 PM

I just got this email - I have not even been on the forum until just now. Do I need to be concerned about this? Is someone trying to hack my account?

New password for Simple Machines Community Forum

Dear xrunner,
This mail was sent because the 'forgot password' function has been applied to your account. To set a new password, click the following link:
http://www.simplemachines.org/community/xxxxxxxxxx

IP: 205.211.96.100
Username: xrunner

Regards,
The Simple Machines Community Forum Team.

margarett · November 07, 2013, 12:27:15 PM

Are you in Canada school?
http://whois.domaintools.com/205.211.96.100

xrunner · November 07, 2013, 12:28:25 PM

Quote from: margarett on November 07, 2013, 12:27:15 PM
Are you in Canada school?
http://whois.domaintools.com/205.211.96.100

Uh no - that's not my IP. That's the point.

Arantor · November 07, 2013, 12:31:54 PM

Bots do sometimes try that, but unless your email has been compromised, it's not a significant issue because the only way to change the password is if they can access the link in your email.

Thanks for the report, though, we'll investigate our end and see what we turn up with.

(And yes, we already determined it was a different IP address

)

margarett · November 07, 2013, 12:33:16 PM

So someone requested a reset password to your account. It could have been an innocent error (someone with a username looked like yours) or an evil attempt

In any case, don't worry. That email is only sent to you so no one can access it (unless they can also access your email and, in that case, you'd heve bigger problems to consider

)

xrunner · November 07, 2013, 12:43:35 PM

Quote from: margarett on November 07, 2013, 12:33:16 PM
In any case, don't worry. That email is only sent to you so no one can access it (unless they can also access your email and, in that case, you'd heve bigger problems to consider )

OK thanks. I just checked my email account and it shows no attempted attempts by other IPs.

HDB · January 01, 2014, 12:13:53 PM

I run a pretty new forum and have been hit over the last two days with this problem by several IPs. The problem as I see it is anyone can type a Username into the forgot password function and generate an email to a member that alarms the member as they did not initiate the password reset.

As noted the IP in the email that the member gets is not theirs but members aren't generally aware of why the email has an IP address in body of what they are reading.

I have detected several IPs on my forum that have been toying with this and have blocked their IPs. I have 5 IPs that are guilty of this now.

I would suggest a change to the forgot password function. Do not allow someone to read a username of someone and then based on a username alone request a password reset email to be sent to them. Instead do this based on the registered email that only the member knows. On another forum that reset page looks like this...

QuoteIf you have forgotten your username or password, you can request to have your username emailed to you and to reset your password. When you fill in your registered email address, you will be sent instructions on how to reset your password.

Thanks for reading.

Arantor · January 01, 2014, 12:17:25 PM

This is a tough one, security vs usability is a delicate balance.

On the one hand, in an ideal world you'd be absolutely right. On the other hand, we know from experience that users don't always remember what email address they've used on a forum and using their username is more convenient for them.

HDB · January 01, 2014, 12:37:33 PM

Wow! Thanks for coming back so quickly with a reply. BTW this SMF software is great!

I agree that members could very likely have several email addresses and forget which one they used for registration on the forum so it does present itself as yet another problem. But it is a member problem and members are what I like.

Not these kids that play games.

I guess what I am saying is I would rather deal with a legitimate member's email that is stuck than deal with these 5 IPs that have decided to make things interesting for me this past day.

Arantor · January 01, 2014, 12:45:22 PM

Oh, I can fully understand your concern there too.

I don't really see that we can fix it in the core software though, not to the changes specified, and the code is not the easiest to follow to change it in the manner suggested either.

One thing I will note, though... this is why on most forums I don't have my display name set to the same as my username because then they can't spam me

EDIT: I've just been reminded of the secret question/answer deal. With that, it's possible to get a reset without actually having to get an email.

HDB · January 01, 2014, 01:15:19 PM

Quote from: Arantor Beeblebrox the First on January 01, 2014, 12:45:22 PM
Oh, I can fully understand your concern there too.
.........

EDIT: I've just been reminded of the secret question/answer deal. With that, it's possible to get a reset without actually having to get an email.

I see the secret question in the user profile under Account Settings. I assume that is only a individual option that each member must invoke or is there a way to force that when they register?

Arantor · January 01, 2014, 01:51:14 PM

That's an individual option a member must invoke. There could be other issues if it were forced at registration, though - if everyone on a site had a secret question, it could become a higher value target to try taking over accounts, especially if say an administrator were to have a password reset...

I do think we need to review the functionality around this, though, it hasn't been touched in a while.

HDB · January 01, 2014, 02:24:43 PM

Quote from: Arantor Beeblebrox the First on January 01, 2014, 01:51:14 PM

.....

I do think we need to review the functionality around this, though, it hasn't been touched in a while.

Thanks. It is not by any means a big issue but if you can bring it to your higher level of discussions that is all that I can ask.

Thanks. You guys are great.

HDB · March 19, 2015, 09:45:21 PM

The above is happening again. Members on my Forum are getting password reset request emails that they did not initiate. As previously said in this thread anyone can do a password reset by typing the username of any account they see.

As suggested above...

I would suggest a change to the forgot password function. Do not allow someone to read a username of someone and then based on a username alone request a password reset email to be sent to them. Instead do this based on the registered email that only the member knows. On another forum that reset page looks like this...

QuoteIf you have forgotten your username or password, you can request to have your username emailed to you and to reset your password. When you fill in your registered email address, you will be sent instructions on how to reset your password.

As noted above a savvy person will see the IP address in the password reset email is not theirs and realize that it either a mistake or someone is probing.

Might be something to consider for 2.1.

Kindred · March 20, 2015, 10:10:01 PM

Or just do not use the same display name as your login name?

There is no security issue here..its a triggered email, the same as any other site.
I get occasional emails from ebay and Amazon, the same way...

HDB · March 20, 2015, 10:26:41 PM

I agree, it is not a security issue. The thread subject with the words "Security Concern" was named by the OP. It is just a nuisance and it alarms members receiving the reset email.

I will suggest your advice to not use the same display name as the login name to those that have had the occassional issue with this.

Thanks.

News:

Security Concern - Email Received