URGENT! CF had a security loophole, so all members must change their passwords!

[Erwin]

Hi,

It has come to my attention that CF had a security loophole - it was an obscure one, but it was one that one or more hackers had taken advantage of. What it allowed was for a hacker to copy a member's cookie onto their own computer, and to log on as the member.

The hacker did not get the member's password since that is encrypted - all he got was the cookie. However, with this cookie, the hacker could log in as the member. In fact, this hacker got access to staff accounts as well.

I have spoken to the hacker himself, and though his identity will remain private, this is not something I've made up. It's real.

As such, I've made it so that all members are forced to change their passwords. Once you have changed your password, this will invalidate any old cookie, and would render the hacker unable to log in as another member anymore.

The security loophole has been removed since.

This only affects people who had their cookies stolen - not all members are affected. But to play it safe, all members must have their passwords changed just in case.

My apologies for the inconvenience. I am still in shock, and still in a phase of recovering from this.

Thank you for understanding.

 

[Erwin]

For the curious members, it was that popup spoiler tag that had the security loophole. I knew about it but didn't think it could be compromised - a smart member figured it out, and used it to get access to our staff forums, and more than one staff account, and in all probability, more than one member account. Also, there may be more than one member who did this.

This is one reason why I changed the spoiler tag to a dropdown window... but obviously I was too late.

Sorry again for not fixing this earlier.

At least no real damage was done - the problem is fixed with a simple password change, so this is why all members need to do this.

 

[caitlincares]

Thanks for the explanation and all your hard work as usual.

 

[Erwin]

As a precaution, you may be required to change your password twice over the next 48 hours. Sorry about that, but better safe than sorry.

 

[Sun_flwer]

I don't understand why anyone would want to cause such trouble . But i'm glad it's been fixed.

 

[Erwin]

I should add that the "hacker" contacted me just now and wanted me to say that he did not read anyone's PMs, except for a particular staff member.

 

[BarbB]

Does this situation have anything to do with the fact that I've gotten emails from people I don't know which are carrying viruses (thanks to Yahoo for having virus detection software!)? Just wondering?

 

[49erfan]

Thanks for explaining this. I was wondering why I needed to change my password after 381 days. That seemed like a strange point to be required to change it.

 

[USincognito]

I got a "password over 200 days" notice last night, and just got a "password over 1 day notice" is this a bug or just part of the overall threat level response and my home computer's cookie vs. work computer?

Any indication that I'll need to change my password daily? I hope not.

 

[HomeChicklet]

yeah not dialy please that would be hard to keep track of...but thanks Erwin...i appreciate you telling all of us and being straight up....and im glad no real damage was done

 

[ps139]

Erwin said some may have to change passwords twice. It is normal. I had to change mine 2 times but that will probably be the end of it.

 

[Freodin]

Thanks for the explanation - and the quick action to make sure this forum stays a save room for us to communicate.

I have to wonder though: the initial message I got said that my password was over 16000 days old. I know how time flies by - but I did not realize I had been om this forum for over 40 years.

 

[HisWinterRose]

I was sorta wondering if something was wrong when I went to get on this morning it said that my PASSWORD was 3 days old & that I needed to change it so I did and then soon after I posted it came up again and I had to change it again so ... I did so I hope that my problem is ok ... so thanks for keeping us posted !!

T- BEAR

 

[kua2u]

Yup, I think this IS a blessing in disguise. Because now you know about the hole, the breach, and it's been fixed.

I think the hacker helped us.

Blessings to all

 

[Mistermystery]

I got a "password over 200 days" notice last night, and just got a "password over 1 day notice" is this a bug or just part of the overall threat level response and my home computer's cookie vs. work computer?

Any indication that I'll need to change my password daily? I hope not.

Ditto for me. Security is okay, but having to change your password 50 times a day is riddiculous.

 

[elanor]

I'm sorry you had to deal with that stress, Erwin. Thanks for fixing it! Changing our passwords a couple of times is certainly a small price to pay for keeping accounts safe.

 

[oncewaslost]

you should only have to change it twice.

 

[MQTA]

Oh wow! The spoiler popup? So if you didn't click on any of them, you should be ok, right?

Spoiler: This is buggy?

Glad it's fixed!

 

[Steve_SandbachBaptist_UK]

Firstly, apologies for my email moaning, I was just peeved at having to change my password after just over a month. Secondly, very strange that some1 actually on the forums would log into other members' accounts...not christian behaviour either, but then it may have been a non-Christian.

Steve

 

[Bulldog]

Thank you. I knew it was a bit strange to see that my password had expired after 142 days.

It let me put in my old password, does that count as a change or do I need a new password.