When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?

I mean I haven't seen anything but then I haven't been online today.

When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?

I mean I haven't seen anything but then I haven't been online today.A user had signed upto the forum not so long ago and when I was looking through threads a box popped up, luckily I told Matt before anyone else got fooled. One user accidently entered their details which Matt has dealt with.

I don't think theres a filter because otherwise people won't be able to have signatures hosted from their website. THE ONLY PLACE HABBOXFORUM WILL ASK FOR YOUR PASSWORD IS IN THE LOGIN BOX ON THE FORUM, ANYWHERE ELSE THEN DO NOT ENTER YOUR PASSWORD, ALSO CHECK THE URL.

What's happened? o.O Do I need to change my password?

When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?

I mean I haven't seen anything but then I haven't been online today.

I would say within the past 24 hours or so it was added into a users signature. This was spotted, the link hiding under the tags was removed and the URL it is located on is also filtered. But in all means you should NEVER enter your details in any login prompt if they load when you go onto Habbox websites.

You do not need to change your password unless you have entered them in a login prompt/window/dialog when you have gone into a thread. But if you may wish, you can change it anyway just to be safe as it's always ideal to change your password every now and then.


Edit: Login Boxes look something like this: (This is not the one that was shown on HxF)

[IMG]http://uniqueinternetservices.com/fox7.gif

Ah ok! Thanks Matt. :)
Did a user manage to bring something like this onto the forum? D:

Ah, imagine all the credit cards filled with money said exploiter could get from stealing kid's passwords on a Habbo forum :P

Anywho the IMG tags should atleast parse non image filetypes on the clientside of things. How strange.

Yeh they put the link in the image tags n it does tht, rather annoying.

Wow, that's a pretty bad exploit on VBulletin's part. Cheers for that though, was pure curiosity on my behalf. Good job Calvin swooped in on that fast, else that could've gotten quite out of hand.

But hang on, I would've thought it'd only let .JPG and all that sorta files to be hosted?

Why on earth some idiot would want to steal HabboxForum user details I don't know. Habbo accounts I can see why but HxF accounts I've no idea why anyone would want them.

I think it's because alot of (silly) users may use their HabboxForum passwords the same as their Habbo passwords. Of course, they'd need to know the email the account was linked too as well but that's not all THAT hard to discover if you think about it.

Tis why I have a secret email linked to my Habbo, I don't even bloody know the password to it LOL.

Theres prob a reason why it allows other formats than just the image ones, I know with HabbCrazy i coded it to just accept image formats.

Theres prob a reason why it allows other formats than just the image ones, I know with HabbCrazy i coded it to just accept image formats.

Most likely for images which are coded in .php... Like I think the images for the HxSS sigs were? Might be talking a load of tosh though.

Most likely for images which are coded in .php... Like I think the images for the HxSS sigs were? Might be talking a load of tosh though.

Yeah aren't they known as dynamic images or something. I do know what you are getting at and it was linked to a .php file (the link we removed).



http://google.com


Even typing something like that hides "google.com" under an IMG tag which has been known for a while.

Oh bad times! Can't you code it to not accept links like that? Obviously .php files are just an image format like the rest, isn't it .img.php or am I talking out my arse again LOL.

But yeah thats bad times :(

Oh yeh Dynamic images, thats why it allows all. Maybe code it to only allow habbox.com dynamic images?

Oh yeh Dynamic images, thats why it allows all. Maybe code it to only allow habbox.com dynamic images?

That's not a bloody bad idea that, but would it be possible to narrow it down to just being accepted by one domain?

Its possible but is it worth it dum dum dum
I just coded it so it only accepted png n jif images screw messing round with all dat stuf.

I doubt that any of the above theories are correct. It looks more like they're posting an image that's password protected which causes the login box to appear.

o i got one of those yesterday i was like cant be bothered forums broke again and closed the forum LOL :l

i have such faith in habboxforum.com!

urm ok but why cant i see this notice

I doubt that any of the above theories are correct. It looks more like they're posting an image that's password protected which causes the login box to appear.

Maybe but why have a log file for an image which stores any information that was entered into the box.


o i got one of those yesterday i was like cant be bothered forums broke again and closed the forum LOL :l

i have such faith in habboxforum.com!

urm ok but why cant i see this notice


Which one?

I haven't seen one yet, so at least there is only one or two users doing it. It could be worse and be like, a group of 20 doing it. Anyway, if that were the case you could just disable sigs for the main usergroups.

I haven't seen one yet, so at least there is only one or two users doing it. It could be worse and be like, a group of 20 doing it. Anyway, if that were the case you could just disable sigs for the main usergroups.

Disabling signatures for the main user-groups would unhappy quite a lot of users, surely?

Disabling signatures for the main user-groups would unhappy quite a lot of users, surely?

So would masses of users getting hacked.

So would masses of users getting hacked.

And this is not a problem on a daily basis, it isn't like this happens every single day at Habbox where some user trys and gets your account details by making sure a "login prompt" pops up on their screen. Plus, it would depend how many people would actually enter their login details into the box or just press cancel.

And this is not a problem on a daily basis, it isn't like this happens every single day at Habbox where some user trys and gets your account details by making sure a "login prompt" pops up on their screen.

Yes luckily. But as I said, that it probably worst case scenario.

Yes luckily. But as I said, that it probably worst case scenario.

I rather not see signatures be disabled due to this, I would rather see a method of trying to prevent this from happening but allowing people to still have images in their signatures. (If possible at all) Removing a feature for everyone, wouldn't be ideal and they are used by many members on the forum.

We can usually swoop on these things pretty quickly so I don't think there's much to worry about - the security notice was posted as a both a notification for anybody fooled by this and a notice to warn users incase it happens again.

The user who had it in their signature has been banned.

It's worth noting we don't actually allow users to have signatures until they are out of the "Newly Registered Users" approval group - so that's 5 posts, so it was probably just some clever ass trying to get people's passwords 'cause people use the same as their Habbo password sometimes.

Few security tips:

- There are three places where you may be asked to type in your HabboxForum Password, they are:


The Login box in the top-left of HabboxForum.com
When changing your password in usercp
On www.habboxforum.com/support - which is an official HabboxForum site.

You should not type your HxF password anywhere else.

I rather not see signatures be disabled due to this, I would rather see a method of trying to prevent this from happening but allowing people to still have images in their signatures. (If possible at all) Removing a feature for everyone, wouldn't be ideal and they are used by many members on the forum.

Of course only temporarily I mean. ;l

Even not allowing .php wouldn't fix it because they can use .htaccess to make it appear under index.png or whatever. I don't think only allowing Habbox.com dynamic images would be a good idea because some users make their own such as Florx who made a few and hosted on his own server.

The user had basically set the login to send entered info to a .txt file, it doesn't happen all the time but happens now and again. I guess we'll just have to watch out for it.

Even not allowing .php wouldn't fix it because they can use .htaccess to make it appear under index.png or whatever. I don't think only allowing Habbox.com dynamic images would be a good idea because some users make their own such as Florx who made a few and hosted on his own server.

The user had basically set the login to send entered info to a .txt file, it doesn't happen all the time but happens now and again. I guess we'll just have to watch out for it.

This pretty much, bit of common sense like not entering your details into any strange boxes that pop up infront of you and just let one of the moderation / admins know. Problem sorted.