security flaw

kman · maaliskuu 07, 2006, 12:33:33 IP

I tried to log in with my usual password, which didn't work. After trying a few times, a message came up saying I could reset my password by clicking a link in my email, with the OPTION of answering my secret question. This means that anyone could potentially put their own email there and click the link to hack into my account. Having to answer the secret question correctly should be required, not an option. I can't believe this was missed.

Trekkie101 · maaliskuu 07, 2006, 12:46:08 IP

But it asks, either Username or Email, so if their email wasnt associated with the account, it wont send them your link....

Kindred · maaliskuu 07, 2006, 12:54:01 IP

to expand a little on Trekkie's comment...

Yes, it asks for an email address. However, if the email address does not match the one on the account, nothing will be sent.

I am very disappointed that you would report this with such strong langauge without actually testing it.

Try it:
set up an account with one email address.
fail the 3 login attempts
enter a DIFFERENT email address in the box...
...
the different email address will not recieve any account information.

sheesh... do you really think that something that basic would have been missed in 20 or so public releases of this software?

kman · maaliskuu 07, 2006, 12:55:06 IP

Alright, my bad. Sorry.

I don't see any "strong language" in my topic though. lol

Kindred · maaliskuu 07, 2006, 01:01:23 IP

hmmmm.... you think the text "HUGE security flaw" (with the huge in all caps) is not strong language

On the internet today where people are so obsessed with secuirty that they complain when a script asks them to make a file chmod 777, words like that raise a red flag and worry people who just skim titles...

redone · maaliskuu 07, 2006, 01:03:51 IP

Well, I editted your title because it is hardly a "HUGE" security flaw. And like has already been mentioned most people just skim through posts they don't often read them.

kman · kesäkuu 15, 2006, 03:01:30 IP

I'm just a confused customer asking a question. You guys need to relax and take it professionally.

Kindred · kesäkuu 15, 2006, 03:15:22 IP

No... you were a confused customer making (incorrect) asumptions on secuirty without even understanding or properly testing before reporting a "HUGE security flaw" (that is not huge, nor is it a security flaw at all...)

Tristan Perry · kesäkuu 15, 2006, 03:53:12 IP

Lainaus käyttäjältä: Kindred - kesäkuu 15, 2006, 03:15:22 IP
No... you were a confused customer making (incorrect) asumptions on secuirty without even understanding or properly testing before reporting a "HUGE security flaw" (that is not huge, nor is it a security flaw at all...)

(Maybe he's just a newbie who didn't know the ramifications that some ignorant security obsessed people skim read title's?)

*Cough* kman generally in this day and age security is a big thing on the internet, hence reporting a flaw without proper testing is generally frowned upon

Simple Machines Community Forum

Uutiset:

security flaw

kman

Trekkie101

Kindred

kman

Kindred

redone

kman

Kindred

Tristan Perry