Jump to content

Password Recovery Security / User Validation


Guest G-WizZ

Recommended Posts

Recently My board has had a problem where someone outside of our community has been able to gain access to my members' accounts through using a hotmail.com exploit, gaining access to the users' email accounts that they use for the forum profile, and using the password recovery tool to retrieve the account's login details. The last person that had this happen to them was one of my administrators, but luckily I was online at the time. I had all staff members hide their email addresses from the public and change them to anything except hotmail.com addresses. I had a few ideas what could be done to help prevent this:

:: Have any member requesting password recovery show up in the validating list, so the admin could compare the IP address to stop unauthorized access.

or

:: have an option in ACP to allow only certain IP addresses to access certain accounts. This way even if the attacker does get the password, they won't be able to log into the account since the account only allows IP addresses from the rightful user.

Any feedback would be appreciated.

Link to comment
Share on other sites

have an option in ACP to allow only certain IP addresses to access certain accounts. This way even if the attacker does get the password, they won't be able to log into the account since the account only allows IP addresses from the rightful user.



would be nice but a 2.1.x mod that allowed only certain IP'S access to the ACP was nice, but some IP's change constantly (hours? daily?) if the above (your) was implmented IPS would have to think of a way around thi .
Link to comment
Share on other sites

True, and I thought of that which is why I figured the first option, about validation, would be more plausible. It would help especially if none of the administrators are online at the time an attack occurs, it would prevent the attacker to gain access to the victims account since the password recovery would have to be validated, exactly like a new account or email address change would be.

When my administrator's account was taken I didn't even realize it because he wasn't on the forums at the time. I found out because he was logged into the ACP yet wasn't online, and the IP address did not seem familiar. If I had not also been in the ACP I would not have been able to stop the attacker. The password recovery validation feature I suggested would have been great then. Hopefully other people will see this the same way as I do.

thanks for your input

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...