Jump to content


Tyler Loewen

  • Content Count

  • Joined

  • Last visited

    Bug: My site uses S3 to store most file uploads. When I upload a verification image, it uploads it to disk (it's set to upload to disk in the file management settings). The image properly displays in the user account settings panel. But in the moderator verification section, it has a broken link using one of our S3 bucket URLs. Setting the file management for verification to S3 resolves this issue. Suggestion: Ability to override the Font Awesome includes so that I can use my own, updated, pro version of Font Awesome. And the ability to not include it at all in the case of it already being included. Suggestion: Ability to define custom CSS for each icon from within the plugin settings. That way I can change its size, add animations, add shadows, add transitions, etc. Suggestion: Ability to choose whether the images are saved or deleted upon approval/disapproval. This would help organisations like mine combat [credit card] fraud. Suggestion: Ability to add different verification procedures. One procedure like the one that already exists. One for ID and utility bill verification (multiple uploads). One for credit card verification where companies like mine can match up pictures of users' credit cards with the information we have from Stripe or PayPal. etc. Suggestion: Ability to add data to each successful verification, and this data can only be seen by members of chosen user groups. Like if my Discord handle were to be verified, a popup (or alt text) would show my verified Discord handle when a user where to hover or click on the verified icon. These features would be very useful for my business and other organisations or enterprises. I'd imagine you'd be able to charge a lot more if this plugin had those features. I very much like the plugin so far! Thank you for considering my suggestions.
  1. Being able to reset an account's 2FA via email allows for an exploit if a hacker is able to compromise the user's email address. If the user's email address is compromised, the hacker will be able to reset both the account's password and 2FA thus having the ability to access the account. An available solution is to require contacting the administrator to reset the user's 2FA. But this requires an admin's time plus a hacker could still social engineer the admin. Having 2FA backup codes would make the 2FA system less exploitable while not requiring an admin's time to reset the 2FA. I think this solution would be beneficial to Invision Power's commercial users and high traffic web sites.
  2. 1. No, not with your plugin, but unless the one reset handling module is extended, the user get automatically logged in upon clicking the password reset confirmation link (positive of this). I don't know the exact mechanism of your plugin, but I figured I'd ask just in-case. Maybe your plugin does have protection against this. I haven't purchased it so I wouldn't know. Code run upon clicking a valid password reset link: /* Reset the failed logins storage - we don't need to save because the login handler will do that for us later */ $member->failed_logins = array(); /* Now reset the member's password */ foreach ( \IPS\Login::handlers( TRUE ) as $handler ) { /* We cannot update our password in some login handlers, that's ok */ try { $handler->changePassword( $member, $values['password'] ); } catch( \BadMethodCallException $e ){} } /* Delete validating record and log in */ \IPS\Db::i()->delete( 'core_validating', array( 'member_id=? AND lost_pass=1', $member->member_id ) ); /* Log in and redirect */ \IPS\Session::i()->setMember( $member ); \IPS\Output::i()->redirect( \IPS\Http\Url::internal( '' ) ); 5. Yes, a successful brute-force via the login form may be extremely unlikely, but still as possible as say winning a large jackpot multiple times in a row. A dictionary attack could also be used.I can't remember if the flood check has a counter per IP address, or a global counter for failed logins. If the former, then a large botnet can be used to expedite this process. Nevertheless, if a hacker is able to test a password for an account to confirm that the password is correct, then as mentioned the hacker will be able to confirm the target's password. This can be dangerous because the target could then be suspect-able to getting accounts at other sites compromised. Additionally, attack surface area of IPBoard could be increased. Not too big of a concern as the possibility of this actually being exploited is slim to none, but I like to leave nothing open. I'd also be neat to have the UCP allow the user to have settings which [dis]allow changes to the user's password or email to require the OTP.
  3. Are you re-formatting or replacing all characters which don't make up a valid URL? Using urlencode or a similar function might solve these problems. Questions: When resetting a password via email, visiting the reset link will automatically login the user without the need for the user to enter any login credentials, potentially by-passing the 2FA prompt. Does this have protection against that? This is the issue gotoel was describing. Will you add the ability to create 16+ character backup codes in the case the user loses access to their authentication device? Is it possible to generate a new secret key granted the user enters a valid OTP? Is the secret key hidden/QR code hidden after activating the 2FA? Is the prompt for the OTP asked for after successfully logging in with the correct username and password for the user? This is a security flaw as it allows hackers to guess or bruteforce a user's password, even if the hacker won't be able to gain full control of the account because of the lack of having a valid OTP.
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy