Regarding Security Notice

[Pyroka]

When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?

I mean I haven't seen anything but then I haven't been online today.

[Calvin]

When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?

I mean I haven't seen anything but then I haven't been online today.

A user had signed upto the forum not so long ago and when I was looking through threads a box popped up, luckily I told Matt before anyone else got fooled. One user accidently entered their details which Matt has dealt with.

I don't think theres a filter because otherwise people won't be able to have signatures hosted from their website. THE ONLY PLACE HABBOXFORUM WILL ASK FOR YOUR PASSWORD IS IN THE LOGIN BOX ON THE FORUM, ANYWHERE ELSE THEN DO NOT ENTER YOUR PASSWORD, ALSO CHECK THE URL.

[syko2006]

What's happened? o.O Do I need to change my password?

[xxMATTGxx]

When was this discovered, and do you know how long it's been on the forum? Plus, have you discovered a way to well uh, filter it from happening?

I mean I haven't seen anything but then I haven't been online today.

I would say within the past 24 hours or so it was added into a users signature. This was spotted, the link hiding under the [IMG] tags was removed and the URL it is located on is also filtered. But in all means you should NEVER enter your details in any login prompt if they load when you go onto Habbox websites.

You do not need to change your password unless you have entered them in a login prompt/window/dialog when you have gone into a thread. But if you may wish, you can change it anyway just to be safe as it's always ideal to change your password every now and then.


Edit: Login Boxes look something like this: (This is not the one that was shown on HxF)

[syko2006]

Ah ok! Thanks Matt.
Did a user manage to bring something like this onto the forum? D:

[HotelUser]

Ah, imagine all the credit cards filled with money said exploiter could get from stealing kid's passwords on a Habbo forum

Anywho the IMG tags should atleast parse non image filetypes on the clientside of things. How strange.

[GoldenMerc]

Yeh they put the link in the image tags n it does tht, rather annoying.

[Pyroka]

Wow, that's a pretty bad exploit on VBulletin's part. Cheers for that though, was pure curiosity on my behalf. Good job Calvin swooped in on that fast, else that could've gotten quite out of hand.

But hang on, I would've thought it'd only let .JPG and all that sorta files to be hosted?

[Jordy]

Why on earth some idiot would want to steal HabboxForum user details I don't know. Habbo accounts I can see why but HxF accounts I've no idea why anyone would want them.

[Pyroka]

I think it's because alot of (silly) users may use their HabboxForum passwords the same as their Habbo passwords. Of course, they'd need to know the email the account was linked too as well but that's not all THAT hard to discover if you think about it.

Tis why I have a secret email linked to my Habbo, I don't even bloody know the password to it LOL.