Previous Thread
Next Thread
Print Thread
Hop To
Joined: Oct 2008
Posts: 104
Member
Member
Joined: Oct 2008
Posts: 104
All,

I received this email yesterday.

Can someone address how much of this is true, and if there is anything I can do to rectify it?

Thanks in advance. The email...
================================================
Your website forum 'forum.pianoworld.com' is providing passwords in clear-text via email upon registration and is also not offering encrypted communications while browsing the page. This presents a security risk to users of the site if a malicious actor were to target the web page. Knowing that the password is sent via email poses many threats, including, but not limited to, the presence of plain-text passwords in the password store which, if breached, could allow an attacker to impersonate any user on the site, or worse, use shared credentials of targeted individuals on other websites (such as a user's bank if they re-use the same password). The presence of a clear-text password in the email registratoin also indicates that the password is sent unsecured via the internet and could be intercepted at any location enroute to the user, it is also stored in the user's mailbox and could be captured if the user's mailbox were being monitored -- this allows an attacker to again impersonate the user, or use this password on other sites which may share the same credentials.

The communication between the browser and the forums page is not encrypted, including during login, which means an attacker which sits between a user and the forums login can scrape the password from the unencrypted communications and again impersonate the user. It stands to reason that the software hosting the forums is likely very outdated and likely contains extensive bugs that could allow an attacker to gain unauthorized access to the forum. With this, the attacker could implant malicious software, monitor user logins, use the hosting platform as a attack vector for other malicious content, etc.

Please update and secure your services immediately


Founder/Host
Piano World
https://PianoWorld.com
Home of the world famous Piano Forums.
http://forum.PianoWorld.com
88,000+ registered members
Over 2.5 million posts, and growing...
Joined: Apr 2004
Posts: 1,945
Likes: 145
UBB.threads Developer
UBB.threads Developer
Joined: Apr 2004
Posts: 1,945
Likes: 145
"unencrypted communications" relates to the user's end. This could be any one of your members or yourself, if you were to log in using a free or untrusted wifi connection (think; hotel or starbucks or mcdonalds or anything open in the wild).

the bulk of that message is scare tactics fud. i would receive similar spam emails many years ago by companies offering to convert my website for a small fee. even though I had already been on https for several years prior. but overall, you really should already be on https by now. you have user logins. you are not sending static html source. each of your forum pages is presented per each of its account access levels.

A simple guide has already been put together to help you move your UBB.threads forums from basic http to https:
https://www.ubbcentral.com/forums/u...transition-your-forum-from-http-to-https

Last edited by isaac; 12/16/2018 5:13 PM. Reason: corrected typos (im on a smartphone)

Current developer of UBB.threads PHP Forum Software
Current Release: UBBT 7.7.5 // Preview: UBBT 8.0.0
isaac @ id242.com // my forum @ CelicaHobby.com

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Ruben), 476 guests, and 111 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)