Polverone - 13-3-2005 at 00:05
Just a few minutes ago I found that I'd been logged out the board. My password no longer worked to log me back in. I was able to reset my
password by directly editing the MySQL database. I looked in the control panel, and didn't see any suspicious activity. It doesn't appear
that anything bad was done with my compromised account, if it was indeed compromised. Still, I find this somewhat disturbing, especially since XMB has
had so many security problems in the past.
Please post if you've experienced any other suspicious glitches lately.
Eliteforum - 13-3-2005 at 03:43
Exactly the same problem as above.
The_Davster - 13-3-2005 at 10:12
I did not have that problem.
Esplosivo - 13-3-2005 at 10:25
Either yesterday or the day before I had to relog-in, which is not usual. I don't know if it is related.
Polverone - 13-3-2005 at 14:33
The cookies eventually expire and you have to re-login at intervals, so that by itself is not suspicious. Eliteforum, how are you posting if you have
my same problem? I had to manually edit the MySQL entry for my password hash to get back in.
Eliteforum - 13-3-2005 at 15:08
I meant, I normally stay logged in. And I had to put in my password again. Which is very unusual as I never have to login.
Sorry for the confusion.
More mysterious stuff
Polverone - 14-3-2005 at 13:24
I found the following message in my Yahoo mailbox today. It was sent yesterday:
This is an automatic e-mail. Yourself, or someone has requested your
password to be resent to you, your details are below.
Polverone
[some password I'd never used]
The password was a scramble of letters and numbers, like a randomly generated password reset. How could my password have been reset? It explains why I
couldn't log in, though.
Edit: it seems that the "forgotten password" feature can be used to do this. As long as you know someone's username and the email
address they signed up with, you can reset their password. I suppose this could be used as a low-grade denial of service attack, by constantly
resetting passwords, but it can be fixed if people change their email address to something new and not-visible on the board.
[Edited on 3-14-2005 by Polverone]
Organikum - 14-3-2005 at 13:52
I had to re-login too. I actually dont mind anybody grabbing my password here, if he posts nonsense it will get deleted, I use an unique password here
matching nowhere else I roam and all my interesting PMs are PGP encrypted.
/ORG