URGENT! CF had a security loophole, so all members must change their passwords!

[Faith In God]

Thank you, Erwin.

yeah. no kidding. how do you do what you do and have time to live?

 

[Susan]

Thanks Erwin. . .and eek, this is a surprise. I thought my old password was unable to be compromised because it was unable to be spelled.

 

[Freodin]

Wow... you got me beat. My password was only 12611 days old.

No, I don´t think I got you beat. If others had that number, too, it´s more likely I did not remeber it correctly.

I only remembered that it had 5 numbers, started with a 1 and contained a 6.

So my message will have been 12611 as well.

But I am relieved - now I only logged in for the first time when I was six months old - instead of -5.

 

[Erwin]

The hacker could not know or change your password - all he did was copy cookies. The moment you change your password, he will no longer be able to use these cookies. Ensure your password is different - if you use the same password, the cookies will work again.

 

[seebs]

Ooh, that's a good thing to know. I changed my password, and then when I had to change it again, changed it back, figuring I'd have a "new cookie".

(Amazingly, at least on tests, I am reported as being fairly smart, and I do a lot of computer stuff, and even some security stuff. You'd think I could apply this, but Noooooo.)

 

[MariaRegina]

Thank you, Erwin, for a job well done.

 

[Blessed-one]

wonder how many cookies this guy copied.
so we have to change it twice? ok.

 

[Susan]

Ugh, and the permanent login is gone too. I have to log in every time I close the site, but that's OK.

 

[Krazeekkc]

No, I don´t think I got you beat. If others had that number, too, it´s more likely I did not remeber it correctly.

I only remembered that it had 5 numbers, started with a 1 and contained a 6.

So my message will have been 12611 as well.

But I am relieved - now I only logged in for the first time when I was six months old - instead of -5.

I got "your password is 256 days old"! So yay I'm unique! 256! lol

 

[freak_of_today]

I got 79 days old for my PW.

ANyway, thanks a heap for the info Erwin!

 

[Mϋzikdϋde]

yeah. no kidding. how do you do what you do and have time to live?

He isn't a real person. He's just ones and zeros. You didn't know that?

 

[Snowy]

lol

 

[crazyfingers]

I'm wondering if there has also been a change in how CF sets cookies. I ask
because ever since I was required to changed my password, I have been unable to save cookies for auto-login under "Remember me".

I use Mozilla Firefox and have my cookies set to always and normal and my password manager to remember passwords. Despite this, all of the CF cookies are marked "For current session only" and delete once I close the browser.

I have reset my password a second time, though the system has not asked me to do so yet.

BTW, I have no problem with the "remember me" passwords on other vb3 boards. For example, I've cleared my cookies for Internet Infidels www.iidb.org and re-logged in. Those new cookes are marked to remain valid for a year.

This problem is unique to CF and started when I had to change my password.

Sorry if this has already been discussed. I have looked and have not found mention of this issue.

 

[Erwin]

Hi cf, good to see you on CF.

CF uses the default vB3 cookie system.

I suspect your cookie got corrupted in the changing of passwords. You can also get cookie problems if you've logged into CF using different domains or using the root domain - for example, logging in at christianforums.com, then again using www.christianforums.com, can cause cookie problems.

Our FAQ comments on this. You can delete ALL cookies in your browser, and log in again. Or, at least, delete all cookies in your browser attached to CF domains.

 

[crazyfingers]

Hi Erwin, Thanks for the response.

Hi cf, good to see you on CF.

CF uses the default vB3 cookie system.

I suspect your cookie got corrupted in the changing of passwords.

Yes. Though I've logged in and out multiple times so the cookies have been created and destroyed multiple times now. I have check the cookie manager and confirned that they are there or are not there as appropriate. However when they do exist, they are marked as on-sessio-only whereas my other cookies are all marked as having a year's life.

You can also get cookie problems if you've logged into CF using different domains or using the root domain - for example, logging in at christianforums.com, then again using www.christianforums.com, can cause cookie problems.

I always use the same bookmark to open CF. It opens to the main index.

Our FAQ comments on this. You can delete ALL cookies in your browser, and log in again. Or, at least, delete all cookies in your browser attached to CF domains.

Well, deleting the cookies isn't the problem. The problem is that they auto-delete when the browser session is closed. They are being created as one-session-only cookies and auto-delete on browser closure.

This means of course that I have to manually log-in every time I visit CF with a new browswer session.

I would suspect that something was wrong with my own settings if I had this problem with other vB3 boards. However I'm unable to reproduce the effect on any other board. This problem only happens on CF and only started after I was notified that I had to change my password.

So I wondered of there was something different about how CF was set up.

In any case, since this doesn't ring a bell with you, I'll continue to look for a solution from my side.

 

[alaurie]

...This happens all the time on the internet. People gain entry into places by exploiting someone's information but they are ususally NOT after the person whose info they are using. The information is just a conduit to reach a different goal.

....Sure, it happens all the time but is it legal?

 

[Mϋzikdϋde]

....Sure, it happens all the time but is it legal?

I'll assume the question is rhetorical. I'll also assume you didn't mean to imply that I think it's ok. The mention of that fact that it's a common practice shouldn't be misconstrued as condoning the act. Even if it weren't illegal, (a felony in some cases) it would still be wrong.

 

[Erwin]

Hi Erwin, Thanks for the response.



Yes. Though I've logged in and out multiple times so the cookies have been created and destroyed multiple times now. I have check the cookie manager and confirned that they are there or are not there as appropriate. However when they do exist, they are marked as on-sessio-only whereas my other cookies are all marked as having a year's life.



I always use the same bookmark to open CF. It opens to the main index.




Well, deleting the cookies isn't the problem. The problem is that they auto-delete when the browser session is closed. They are being created as one-session-only cookies and auto-delete on browser closure.

This means of course that I have to manually log-in every time I visit CF with a new browswer session.

I would suspect that something was wrong with my own settings if I had this problem with other vB3 boards. However I'm unable to reproduce the effect on any other board. This problem only happens on CF and only started after I was notified that I had to change my password.

So I wondered of there was something different about how CF was set up.

In any case, since this doesn't ring a bell with you, I'll continue to look for a solution from my side.

Odd... do you click the "Remember Me" box when you log in? Because you need to do that to create a cookie that is permanent.

 

[draper]

Thank you to the hacker for telling Erwin about the loophole, they certainly didn't have to -,and thank you to Erwin for fixing the loophole, you do an awesome job on this site.

 

[September]

Odd... do you click the "Remember Me" box when you log in? Because you need to do that to create a cookie that is permanent.

I'm having exactly the same problem as crazyfingers, and yes, I have checked the "Remember Me" box. But I still have to enter my password every time I return.