Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Meta
Re: Major Flaw in Security
by
Dare
on 23/10/2014, 05:03:36 UTC
Quote from: FunnyHat43 on October 23, 2014, 03:40:35 AM
Quote from: Dare on October 23, 2014, 03:32:18 AM
Quote from: marcotheminer on October 22, 2014, 09:15:04 PM
Quote from: mprep on October 22, 2014, 08:58:10 PM
It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does Grin). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.

Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.

Layout, avatars and performance can come at a later date. Security needs to come tomorrow.

Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).
This would rely very heavily on automation which has it's own vulnerabilities.

At the moment, there's no email verification required to change an account's email; anyone with the password can change the email to anything they choose, with no confirmation required. Regaining control of an account would require the same manual process, but email verification would make it more difficult for accounts to be stolen in the first place by requiring confirmation from the second factor before allowing it (and consequently, the way for the original owner to reset the account's password) to be changed.

So long as there are no vulnerabilities in the email confirmation system (which should be easy enough to secure; it's a common practice for many sites, and relatively simple to implement) then the only disadvantage will be to the people buying and selling accounts, who will have to add another step to their process.