When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?
I mean I haven't seen anything but then I haven't been online today.
Printable View
When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?
I mean I haven't seen anything but then I haven't been online today.
A user had signed upto the forum not so long ago and when I was looking through threads a box popped up, luckily I told Matt before anyone else got fooled. One user accidently entered their details which Matt has dealt with.Quote:
Originally Posted by Pyroka
I don't think theres a filter because otherwise people won't be able to have signatures hosted from their website. THE ONLY PLACE HABBOXFORUM WILL ASK FOR YOUR PASSWORD IS IN THE LOGIN BOX ON THE FORUM, ANYWHERE ELSE THEN DO NOT ENTER YOUR PASSWORD, ALSO CHECK THE URL.
What's happened? o.O Do I need to change my password?
I would say within the past 24 hours or so it was added into a users signature. This was spotted, the link hiding under the [IMG] tags was removed and the URL it is located on is also filtered. But in all means you should NEVER enter your details in any login prompt if they load when you go onto Habbox websites.Quote:
Originally Posted by Pyroka
You do not need to change your password unless you have entered them in a login prompt/window/dialog when you have gone into a thread. But if you may wish, you can change it anyway just to be safe as it's always ideal to change your password every now and then.
Edit: Login Boxes look something like this: (This is not the one that was shown on HxF)
http://uniqueinternetservices.com/fox7.gif
Ah ok! Thanks Matt. :)
Did a user manage to bring something like this onto the forum? D:
Ah, imagine all the credit cards filled with money said exploiter could get from stealing kid's passwords on a Habbo forum :P
Anywho the IMG tags should atleast parse non image filetypes on the clientside of things. How strange.
Yeh they put the link in the image tags n it does tht, rather annoying.
Wow, that's a pretty bad exploit on VBulletin's part. Cheers for that though, was pure curiosity on my behalf. Good job Calvin swooped in on that fast, else that could've gotten quite out of hand.
But hang on, I would've thought it'd only let .JPG and all that sorta files to be hosted?
Why on earth some idiot would want to steal HabboxForum user details I don't know. Habbo accounts I can see why but HxF accounts I've no idea why anyone would want them.
I think it's because alot of (silly) users may use their HabboxForum passwords the same as their Habbo passwords. Of course, they'd need to know the email the account was linked too as well but that's not all THAT hard to discover if you think about it.
Tis why I have a secret email linked to my Habbo, I don't even bloody know the password to it LOL.
Theres prob a reason why it allows other formats than just the image ones, I know with HabbCrazy i coded it to just accept image formats.
Most likely for images which are coded in .php... Like I think the images for the HxSS sigs were? Might be talking a load of tosh though.Quote:
Originally Posted by GoldenMerc
Yeah aren't they known as dynamic images or something. I do know what you are getting at and it was linked to a .php file (the link we removed).Quote:
Originally Posted by Pyroka
Even typing something like that hides "google.com" under an IMG tag which has been known for a while.HTML Code:[IMG]http://google.com[/IMG]
Oh bad times! Can't you code it to not accept links like that? Obviously .php files are just an image format like the rest, isn't it .img.php or am I talking out my arse again LOL.
But yeah thats bad times :(
Oh yeh Dynamic images, thats why it allows all. Maybe code it to only allow habbox.com dynamic images?
That's not a bloody bad idea that, but would it be possible to narrow it down to just being accepted by one domain?Quote:
Originally Posted by GoldenMerc
Its possible but is it worth it dum dum dum
I just coded it so it only accepted png n jif images screw messing round with all dat stuf.
I doubt that any of the above theories are correct. It looks more like they're posting an image that's password protected which causes the login box to appear.
o i got one of those yesterday i was like cant be bothered forums broke again and closed the forum LOL :l
i have such faith in habboxforum.com!
urm ok but why cant i see this notice
Maybe but why have a log file for an image which stores any information that was entered into the box.Quote:
Originally Posted by Fazon
Quote:
Originally Posted by Myke
Which one?
I haven't seen one yet, so at least there is only one or two users doing it. It could be worse and be like, a group of 20 doing it. Anyway, if that were the case you could just disable sigs for the main usergroups.
Disabling signatures for the main user-groups would unhappy quite a lot of users, surely?Quote:
Originally Posted by Wiizzz
So would masses of users getting hacked.Quote:
Originally Posted by xxMATTGxx
And this is not a problem on a daily basis, it isn't like this happens every single day at Habbox where some user trys and gets your account details by making sure a "login prompt" pops up on their screen. Plus, it would depend how many people would actually enter their login details into the box or just press cancel.Quote:
Originally Posted by Wiizzz
Yes luckily. But as I said, that it probably worst case scenario.Quote:
Originally Posted by xxMATTGxx
I rather not see signatures be disabled due to this, I would rather see a method of trying to prevent this from happening but allowing people to still have images in their signatures. (If possible at all) Removing a feature for everyone, wouldn't be ideal and they are used by many members on the forum.Quote:
Originally Posted by Wiizzz
We can usually swoop on these things pretty quickly so I don't think there's much to worry about - the security notice was posted as a both a notification for anybody fooled by this and a notice to warn users incase it happens again.
The user who had it in their signature has been banned.
It's worth noting we don't actually allow users to have signatures until they are out of the "Newly Registered Users" approval group - so that's 5 posts, so it was probably just some clever ass trying to get people's passwords 'cause people use the same as their Habbo password sometimes.
Few security tips:
- There are three places where you may be asked to type in your HabboxForum Password, they are:
- The Login box in the top-left of HabboxForum.com
- When changing your password in usercp
- On www.habboxforum.com/support - which is an official HabboxForum site.
You should not type your HxF password anywhere else.
Of course only temporarily I mean. ;lQuote:
Originally Posted by xxMATTGxx
Even not allowing .php wouldn't fix it because they can use .htaccess to make it appear under index.png or whatever. I don't think only allowing Habbox.com dynamic images would be a good idea because some users make their own such as Florx who made a few and hosted on his own server.
The user had basically set the login to send entered info to a .txt file, it doesn't happen all the time but happens now and again. I guess we'll just have to watch out for it.
This pretty much, bit of common sense like not entering your details into any strange boxes that pop up infront of you and just let one of the moderation / admins know. Problem sorted.Quote:
Originally Posted by Skizzling