Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: forum accounts easy to steal ?

  1. #1

    forum accounts easy to steal ?

    Hi,

    I just created an Ubuntu One account in order to link it to my forum account and set a new password since the old one is now in the wild.
    I created my One account using my email address and didn't need any confirmation (not even confirmation email). Then I just had to click "connect to forum" and keep all checkboxes (what information do I want to share with forum -> full name / nickname / email address). Since the One account shared the email address with the forum, the latter recognized me and my accounts were linked.
    I am now logged on forums, without using my old password, without proving that I'm the owner of the email adress linked to my forum account.

    Unless I have missed something, it sounds like a big security issue : I could create a One account using the email address of any member who did not come back yet, and I will own his forum account !

    Regards,

    aze555666

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: forum accounts easy to steal ?

    How would you know the email another member uses on the forum without having access to the database itself?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: forum accounts easy to steal ?

    Quote Originally Posted by aze555666 View Post
    I created my One account using my email address and didn't need any confirmation (not even confirmation email).
    Are you saying you didn't receive something like this?

    Hello

    As a final step of the Ubuntu Single Sign On (SSO) account creation process, please validate the email address <snip>. Ubuntu SSO enables convenient access to a variety of Ubuntu-related services like Ubuntu One with the same username and password.

    Here is your confirmation code:

    <snip>

    Enter this code into the registration form, or click the following link to automatically confirm your account:

    <snip>


    If you don't know what this is about, then someone has probably entered your email address by mistake. Sorry about that. You don't need to do anything further. Just delete this message.

    Thank you,

    The Ubuntu Single Sign On team
    Ubuntu 16.04 Desktop Guide - Ubuntu 14.04 Desktop Guide - Forum Guide to BBCode - IRC #ubuntuforums

    Member: Not Canonical Team

    Please do not PM me about your forum account unless you have been asked to. The correct place to contact an admin about your account is here.

  4. #4

    Re: forum accounts easy to steal ?

    Quote Originally Posted by CharlesA View Post
    How would you know the email another member uses on the forum without having access to the database itself?
    You could either use a random address hoping to hack a random forum account, or be able to link a forum username and an email address using other information sources (either search for the same username elsewhere on the internet and find sites/forums that my display email in profile, or just be the guy who got the DB from ubuntuforums a few days ago and have all emails but didn't decrypt passwords yet)

    Quote Originally Posted by coffeecat View Post
    Are you saying you didn't receive something like this?
    No, didn't get it. Double checked my webmail in case I would have mechanicallyclicked the link and trashed the email, but didn't find anything.

  5. #5
    Join Date
    Jun 2009
    Location
    0:0:0:0:0:0:0:1
    Beans
    4,669
    Distro
    Xubuntu

    Re: forum accounts easy to steal ?

    i did not get one of those either
    @CharlesA
    I am pretty sure the guy/gal who hacked the forums in the 1st place would have this info, what about the admin accounts, could he/she steal any of those?

    i had a ubuntu one account prior to the site getting hacked
    Last edited by pqwoerituytrueiwoq; August 7th, 2013 at 12:51 AM.
    Laptop: ASUS A54C-NB91 (Storage: WD3200BEKT + MKNSSDCR60GB-DX); Desktop: Custom Build - Images included; rPi Server
    Putting your Networked Printer's scanner software to shame PHP Scanner Server
    I frequently edit my post when I have the last post

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: forum accounts easy to steal ?

    Quote Originally Posted by aze555666 View Post
    You could either use a random address hoping to hack a random forum account, or be able to link a forum username and an email address using other information sources (either search for the same username elsewhere on the internet and find sites/forums that my display email in profile, or just be the guy who got the DB from ubuntuforums a few days ago and have all emails but didn't decrypt passwords yet)
    What is the profit in doing that? If someone is in the process of registering random email address and links them to the forum, we would see a noticeable increase user registration and that would probably be a red flag that something is going on.

    Quote Originally Posted by pqwoerituytrueiwoq View Post
    i did not get one of those either
    @CharlesA
    I am pretty sure the guy/gal who hacked the forums in the 1st place would have this info, what about the admin accounts, could he/she steal any of those?

    i had a ubuntu one account prior to the site getting hacked
    Perhaps, but again, where is the profit? Besides I'm pretty sure all of the mods/admins have already linked their launchpad/UO account to their forum account, so a hijack like that isn't possible.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Jun 2009
    Location
    0:0:0:0:0:0:0:1
    Beans
    4,669
    Distro
    Xubuntu

    Re: forum accounts easy to steal ?

    Quote Originally Posted by CharlesA View Post
    Perhaps, but again, where is the profit?
    better safe than sorry, don't want the forums to go down again
    Laptop: ASUS A54C-NB91 (Storage: WD3200BEKT + MKNSSDCR60GB-DX); Desktop: Custom Build - Images included; rPi Server
    Putting your Networked Printer's scanner software to shame PHP Scanner Server
    I frequently edit my post when I have the last post

  8. #8
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: forum accounts easy to steal ?

    Quote Originally Posted by aze555666 View Post
    Unless I have missed something, it sounds like a big security issue : I could create a One account using the email address of any member who did not come back yet, and I will own his forum account !

    Regards,

    aze555666
    So you've got access to a member account that has no privileges how is that supposed be insecure? We have other security measures in place when it comes to the moderation team.

  9. #9
    Join Date
    Jul 2007
    Location
    Tāmaki Makau-rau, NZ
    Beans
    6,443
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: forum accounts easy to steal ?

    So you've got access to a member account that has no privileges how is that supposed be insecure?
    I think it's slightly missing the point. Supposing that I weren't a moderator and someone got hold of my account. They could post a load of nonsense, maybe not bad enough to get jailed, in my name. Given that the internet never forgets, I could be having to explain that to prospective employers for a long time. Or maybe never even getting the chance of explaining it.

    However, I'm pretty sure I got a message like coffeecat describes when I changed my email address several months ago. If some of you aren't getting one, maybe it's a bug that needs to be reported.
    Please, people, remember to BACKUP before you install that new system. Same if you're upgrading.

    Ubuntu membership via Forums contributions

  10. #10
    Join Date
    May 2007
    Location
    The New Forest
    Beans
    Hidden!
    Distro
    Xubuntu

    Re: forum accounts easy to steal ?

    Quote Originally Posted by aze555666 View Post
    Hi,

    I just created an Ubuntu One account in order to link it to my forum account and set a new password since the old one is now in the wild.
    I created my One account using my email address and didn't need any confirmation (not even confirmation email). Then I just had to click "connect to forum" and keep all checkboxes (what information do I want to share with forum -> full name / nickname / email address). Since the One account shared the email address with the forum, the latter recognized me and my accounts were linked.
    I am now logged on forums, without using my old password, without proving that I'm the owner of the email adress linked to my forum account.

    Unless I have missed something, it sounds like a big security issue : I could create a One account using the email address of any member who did not come back yet, and I will own his forum account !

    Regards,

    aze555666
    If you did not receive any sort of confirmation of the e-mail from login.ubuntu.com you should talk to them about it.

    I've received more than one of these mails from them regarding e-mail changes/additions to my u1 account.

    Quote Originally Posted by Irihapeti View Post
    I think it's slightly missing the point. Supposing that I weren't a moderator and someone got hold of my account. They could post a load of nonsense, maybe not bad enough to get jailed, in my name. Given that the internet never forgets, I could be having to explain that to prospective employers for a long time. Or maybe never even getting the chance of explaining it.

    However, I'm pretty sure I got a message like coffeecat describes when I changed my email address several months ago. If some of you aren't getting one, maybe it's a bug that needs to be reported.

    Would you not contact admins at the forum saying that you think that the account's been hacked?

    We've got access to account information as well - including changes to various user editable fields.

    At the end of the day if people think that there is an issue at login.ubuntu.com then it is there that the question should be asked, not here - we have no control over SSO, nor do we have any control over having to use SSO.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •