Abuse of Password Reminder Email

[Alina400]

Dear friends,

I need some help.

We have a small forum since a few years (now updated to SMF 2.0.19  PHP 8.1).

However, someone is abuse the system with the Reminder Email function. Memebers of the forum get email to reset the password. Someone just put in the forget your passwod the member name and send an email.

How can I stop this or block this option?

Any help is appriciated.

Thanks.
Alina

[Aleksi "Lex" Kilpinen]

Well, in short I would suggest you do nothing. It's working correctly, and letting your users know someone is trying to log in as them. Removing the option would actually just end up hurting your users, as if they ever forgot their login details they'd be locked out with no options to recover.

[Alina400]

Well, in short I would suggest you do nothing. It's working correctly, and letting your users know someone is trying to log in as them. Removing the option would actually just end up hurting your users, as if they ever forgot their login details they'd be locked out with no options to recover.

This is not a solution, but rather an appeasement of the problem 😄

Does anyone else have a suggestion or a solution?...

Thanks.

[@rjen]

You don't understand: there is no 'problem' that can be fixed: someone is requesting password reminders for your users. Blocking that will also disable the reminder function for them.

You may want to check how this someone knows the regular usernames, and block guest access to see member list etc... but that's all you can do

[Alina400]

@rjen I have sent to you authentication reminder and a mail has been sent to your email address.

This function as you see, can be abused easily, and, your forum email will be classified as Spam if someone doing this over and over again with many members. Action is certainly needed here.

As you know, there is no way to hide users if they leave a comment on your forum.

So, how can I disable the reminder function?

Thanks for your constructive suggestions.

[Kindred]

You can not.

We've already explained why...

We did not design the system to prevent core, necessary functionality to be turned off.

[@rjen]

@rjen I have sent to you authentication reminder and a mail has been sent to your email address.

Thank you for that. I really needed to be reminded how the password reminder function works.. 

You may not like it my answer, but that's what it is..
There is no way to block people asking a reminder.

[Arantor]

As you know, there is no way to hide users if they leave a comment on your forum.

You can't use it on me because my *username* isn't Arantor. You absolutely can and should use the ability to hide your username with a display name.

[GreenSonic]

@rjen I have sent to you authentication reminder and a mail has been sent to your email address.

This function as you see, can be abused easily, and, your forum email will be classified as Spam if someone doing this over and over again with many members. Action is certainly needed here.

As you know, there is no way to hide users if they leave a comment on your forum.

So, how can I disable the reminder function?

Thanks for your constructive suggestions.

You can to disable Reminder password fuction.

** Removed wrong and possibly harmful advice. -Lex

Remember. Disabling the password reminder feature will make things worse for forum users in the future.

[Aleksi "Lex" Kilpinen]

I'm fairly sure that edit will also cause errors.

[Arantor]

I'm fairly sure that edit will also cause errors.

And it won't disable the reminder.

[Aleksi "Lex" Kilpinen]

I'm fairly sure that edit will also cause errors.

And it won't disable the reminder.

And with that I removed the edits from above. @GreenSonic It is nice to see people willing to help, but please do not share advice to edit code unless you know what the edits actually do.

[GreenSonic]

I'm fairly sure that edit will also cause errors.

And it won't disable the reminder.

And with that I removed the edits from above. @GreenSonic It is nice to see people willing to help, but please do not share advice to edit code unless you know what the edits actually do.

I understood that this could lead to errors. Sorry.

[Jotade29]

Dear friends,

I need some help.

We have a small forum since a few years (now updated to SMF 2.0.19  PHP 8.1).

However, someone is abuse the system with the Reminder Email function. Memebers of the forum get email to reset the password. Someone just put in the forget your passwod the member name and send an email.

How can I stop this or block this option?

Any help is appriciated.

Thanks.
Alina

A very simple and very effective solution. For 'x' reason, password reminders are abused, what i would do is limit the password reminder (source and template) to the staff level, or the admin level... for example... $user_info['is_admin'] whatever you prefer. When someone is going to use the remember password, it shows them a message, for example with fatal_error, saying that if they want to reset the password, they must send an email to the address you indicate, and that they must have a correct email, or failing that, provide you with a correct one for them to receive (If you have to make any email changes manually, the IPs must match, for example). When they provide you with the email in which you want to receive the restoration email, in case it is not the one in which the profile is, you will have to check ips to change it... I suggest this for a small period of time, until reduce visits to that part of the website

It is something simple and effective, because only those who are really interested in recovering their password will contact you, the rest will not be able to generate emails for it.

[a10]

Assuming member's emails are properly hidden from other members\public\guests (as it should), could the forgot pw form be set to only accept email? If so, unless perpetrator got email lists (like a rogue moderator\admin), pw reset abuse fixed.

* But then... members in need of legit pw reset may have forgotten the original email used for registering.


Regarding names, the reset form accepts username only, not displayed name. So user MyName1 > public display MyName 1 = MyName 1 into reset form > "Error".

* But then... if everyone used different username vs displayed, many could have forgotten their original username.
(btw, am using different user\display here and on other forums, no copy\paste pw reset possibility).


Anyway, just some thoughts. To OP, must be a frustrating and irritating situation.
Could happen to any forum and create quite some disruption if sabotage-minded fools puts energy and time into it.

Last resort, disable the reset form, add a Contact mod and let the admins deal with it (but extra workload).

[Aleksi "Lex" Kilpinen]

could the forgot pw form be set to only accept email?

This could actually be a sensible compromise IMO, haven't looked at the code but I'd assume that narrowing the scope shouldn't be a huge undertaking even.

[Arantor]

Not tested but this should do it.


Sources/Reminder.php

Code (find) Select Expand

elseif (isset($_POST['user']) && $_POST['user'] != '')
{
$where = 'member_name = {string:member_name}';
$where_params['member_name'] = $_POST['user'];
$where_params['email_address'] = $_POST['user'];
}


Code (replace) Select Expand

elseif (isset($_POST['user']) && $_POST['user'] != '')
{
$where = 'email_address = {string:email_address}';
$where_params['email_address'] = $_POST['user'];
}


Themes/default/languages/Profile.english.php

Code (find) Select Expand

$txt['password_reminder_desc'] = 'If you\'ve forgotten your login details, don\'t worry, they can be retrieved. To start this process please enter your username or email address below.';


Code (replace) Select Expand

$txt['password_reminder_desc'] = 'If you\'ve forgotten your login details, don\'t worry, they can be retrieved. To start this process please enter your email address below.';


[Alina400]

Not tested but this should do it.

@Arantor it is absolutely amazing how quickly you come up with a real solution! Thank you ❤️

Assuming member's emails are properly hidden from other members\public\guests (as it should), could the forgot pw form be set to only accept email?

Anyway, just some thoughts. To OP, must be a frustrating and irritating situation.
Could happen to any forum and create quite some disruption if sabotage-minded fools puts energy and time into it.

@a10 Thank you, also for the great idea ❤️

Hope it will be helpful for others as well.