"Guest" has registered

[bradl]

Lately I'm getting a mix of registration notification emails that sometimes include the display name and sometimes do not. 

If I go to "Guest's profile" I do in fact see a proper display name. Sometimes the notifications include the chosen display name as it always had in the past. I'm puzzled by these new "Guest" registrations. Why are they not picking up the display name?

[Admonstrator]

This happens if a user connects to your forum by using facebook, twitter or any other service. 
After the user signed up he has to choose a username - because this username isn't set while the notification was sent you can see "Guest" as user name.

Don't worry, everyting is working ^.^

[bradl]

Thanks for that explanation. Makes perfect sense now that you've said it  

[Rheddy]

I ended up disabling all social media login handlers because of a dangerous side effect related to the login handlers:

• members didn't need to be logged in to their IPS account on my community to be able to share messages via the status updates module; a dangerous side effect
• new members could create an account without selecting a username or display name; this one is a nasty side effect that has never been corrected

I just don't trust the login handlers for social media accounts because of these side effects.

[MADMAN32395]

1 hour ago, Morisato said:

I ended up disabling all social media login handlers because of a dangerous side effect related to the login handlers:

• members didn't need to be logged in to their IPS account on my community to be able to share messages via the status updates module; a dangerous side effect
• new members could create an account without selecting a username or display name; this one is a nasty side effect that has never been corrected

I just don't trust the login handlers for social media accounts because of these side effects.

In your community. It's not a security hole. The end user has to setup syncing. Not really dangerous.

[Rheddy]

@MADMAN32395, there's a problem with that. Since the users on my community were last active back when IPS3 was released, it's not a sync issue, it's a security hole issue. Because, the users hadn't logged into their accounts since 2011 and 2012. The other thing? I hadn't enabled facebook and twitter logins until around IPS 3.3/3.4.

[MADMAN32395]

5 hours ago, Morisato said:

@MADMAN32395, there's a problem with that. Since the users on my community were last active back when IPS3 was released, it's not a sync issue, it's a security hole issue. Because, the users hadn't logged into their accounts since 2011 and 2012. The other thing? I hadn't enabled facebook and twitter logins until around IPS 3.3/3.4.

If you had those handlers enabled and setup in 3.x and upgraded its still going to be enabled and working in4.x

[Rheddy]

The problem is that it wasn't enabled for their accounts. It wasn't even used until after those users became inactive and that automatic status update imports should not be enabled by default It's like leaving the keys to your locked home sitting on your front porch, allowing anyone to enter your home unhindered. It's a horrible idea to set that always on by default and represents irresponsibility. The reason why is simply because some spammer could register for an account and never be discovered, and then just post on their facebook or twitter accounts and constantly post spam on your site without having to log into their forum account.

It's a security vulnerability, especially if there's a bug in the software and allows someone to back your site through facebook.

To make matters worse, there's also another major security hole where users are allowed to register via facebook and twitter without selecting a username. I have created support ticket after support ticket asking for IPS to look into an issue and they've either refused to address it, ignored the ticket or given me the company line "it's working as intended". It's why I disabled the feature a long time ago allowing users to login through social media. Either it's an issue with the IPS software or its a security hole on facebook's side. But, I've never received any kind of valid response from IPS Support over it.

To this day, the problem has never been address by support and they've never looked into the problem.