MAJOR PROGRAMMING ERROR with DCC

Oh, using this method people could also break into Admin's accounts . . . . .

Goudah are you a computer technician?

No . . . . . I was just laying in bed the other night and I realized that it's totally simple because of the way things are set up here . . . .

Pretty much, with a couple clicks of the mouse, anyone could break into any member's account here and read their pm's, post as them, use their MOD or Admin powers, etc . . . . It's really simple, and you wouldn't need much, if any, computer knowledge to do it.

Really - No programming knowledge would be necessary to do this.

It's a major weakness in the system here . . . Anybody that knew a few bits of key information about this site could easily reek major havoc . . . .

The only way I could think of are guessing passwords. Not asking you, but I find it interesting that you think of these things lying in bed. :D

In a way you are close . . . .

It's kind of a long story to how I came to it . . . . Once they problem is fixed I will explain it better, but I can't really explain how I thought of it without giving away how to do it.

Obviously no one even cares about people being able to break into anyones account . . . .

:?

I don't get it either . . . . Either they just think I don't know what I'm talking about, or don't believe me, or think their system is foolproof.

You don't have to be a hacker. You don't have to have any programming knowledge. It's simple. One of these days someone else will figure it out with not so good intentions and lots of people will be upset.

This is scary. Maybe I'm just ignorant here but the only way I can think of is knowing the person's true email and their password?

goudah, I see we have no response to this either. To me, this is a major problem. What's up lately??? No help from admin? What's the deal here? If you can figure it out laying in bed one night, then why can't this be figured out and fixed???? That's my question.

Has anyone addressed this yet?????

That's a no Frog . . . .

I hope this is attended to soon!

Me too - It's pretty scary to think that anyone that thought about it for a while could easily break into anyone's user account . . .

Yup, it needs to be attended to, asap.

Goudah - thank you for pointing this issue out. It's definitely a major concern, and I hope Admin can find time to address it soon! I saw that Jason was on here briefly and answered one question about someone posting a blog...but I don't see that any of the issues in the Mod forum have been addressed.

I understand that they are shorthanded and very busy right now, but I sure would like some sort of explanation as to why important issues are not being addressed, or posts answered.

Does anyone know if the points redemption issue has been addressed, as to when payments are sent?

Nope - I can tell you that hasn't changed at all.

It's still the same thing, if you ask them a question about it, they never answer . . . . It's all a guessing game.

I've been intentionally holding off cashing in my points, though I don't have many to cash in, I could use the extra cash right now. I'm afraid if I cash them in right now, I may not see them for a very long time.

I am really, really computer stupid--but- I think I figured out how to do this :shock: haven't tried it yet, but if I am right, it's pretty bad if I can figure it out :lol:

Although I understand that they are stretched to the limit right now, what with Mike's situation and heading into prime vacation season for staff, someone still needs to monitor what's going on on the boards at least and address our concerns. What is happening here?

I'm willing to give them the benefit of the doubt. Maybe they ARE working on it. Maybe they already have, has anyone tried to find out?

Maybe there is other stuff going on that we don't know about. I guess I don't really care if anyone can break into my "account" or not..What harm can they really do? It's not like I have an overwhelming amount of personal info here..If they get my email addy, oh well..I can block that. And if someone wants to read my pms, let them. And..If someone wants to attempt to post as me..I think that would be just great. I've been here for more than 2 years. The people who matter know my posting style, and anyway, ip addies can prove it's not me. I'm just going to cut everyone some slack and not concern myself. I'll be ok.

When I was in grade school, I was able to get into the school's network and read memos and such. ... In high school I was able to manipulate the attendance records and change my friends grades. ... In college I once hacked into a hotel's network and saw all their guests bills and credit card numbers. ...

Funny that with a bachelor's degree in network technology, I can't manage to hack into this site.

Must be something so completely easy that it's just going right past me. Ah well, like Fins said, the worst someone will get is my email -- which I use a disposable email here anyway.

Someone already hacked into mine a couple of months back--erased the nasty qms and pms they wrote--never did figure out that one :lol:

I thought I knew how they did it, but after thinking about it, I don't--am computer stupid and don't have the time to think about it or worry, I don't put in personal info in any of them anyhow..

I don't think Admin is working on fixing it, since they haven't even asked me what the problem is.

Thing is, it's a very easy fix, and something I've only seen done on this site. No other site does this . . . . .

Has anyone tried to do it?

I played around with the password reset a little. I found that the re-activation link sent via email passed my UID as a parameter (along with a token and and a mode as arguments). I suspected that I might be able to manipulate a password reset by inserting someone else's UID into the re-activation link. However the token it passes, as well as the new temporary password, are both randomly generated Hexidecimal strings. Without knowing the token, the system would not let me go further. I therefore was unsuccessful in that front, since it would still be a matter of guesswork to guess a token with 16777216 possible combinations.

Can it be so simple that you're referring to the fact that everyone's default password is 9, when they set up a new account, until they change it ???

Any user who's never taken the time to change their password, we already know it is 9. Getting their email from their profile, any user would be able to login as them.

That is, until they ever change their default password, which the system warns them to do in the first place ...

:shock:

geeez....hexidecimals....UID's....tokens.... my brain is spinning here...

DebtCruncher, you need to change your username to something more appropriate...like GENIUS!

Sometimes I use big words just so it appears I know what I'm talking about ... really though, it's just how the webpages talk to each other, and I thought maybe by knowing an account's UID that I could use it to create a new password.

Hi, its not that I'm not around or I have no wind of this thread. I'm here :D and have already spoken to the techies about this issue and also breathing on their neck to get it solved, :wink: though according to them the chances are nearly remote. If anyone of you have faced this problem of late , please report it to me, because it would be easier for me to talk to them if I've an example to show.

The reason I haven't replied to this thread or hadn't spoken to goudah yet, because I'm too am a mere illiterate as anyone else with the technologies :oops:

Regards,
Jason

DC - When you reset your password it isn't random, it's always 9. So anyone could reset anyone's password and log in as them, as long as they know the default password . . . .

Thanks Jason for getting it looked in to! AS far as doing the password, hexi, or whateverI have too much going on in my life to figure it out! I can't even remember what I am supposed to, let alone all of that :lol:

Hey, if its the password you're talking about, you can always reset it by going to the edit profile option after login in. And its advisable to do after you're signing-in. This way your information will stay protected.

When you sign in with debtcc, it allots you the default password 9, but you can always change it by going to the edit profile option.

Goudah, I guess I've solved your problem :D if not then pls drop me a PM with the details, because anything more technical is beyond my capacity.

However, all the data of the members are stored in an encrypted form, which is not easy to decipher. Please be assured that all your information are secured :D

Regards,
Jason

No, that wasn't the problem . . . .

Three days later. Anyone?

I sent Jason a PM better explaining what it is . . .

I did not see that above! Sorry!

That's just rather odd, because I've never seen it default to 9 when you reset, only when you create a new account.

I tested the reset a couple times, in each case I got a random hex number:

Try 1 - Password: fdcc6724 key=a1282f
Try 2 - Password: be46f4ec key=66c843

Strange - Maybe they fixed it. I tried it last week with my own account and it reset to 9 each time.

Hi,

If you try to retrieve your password by putting your e-mail id the system generates a random password and doesn't reset it at the default one.

Quote:

That is strange . . . . Maybe it was just a fluke that when I tried it the "random" password was 9 . . . . .