Jipa331

Hello,

I'm using the latest IPS version, 4.7.17, and my store supports two different currencies, USD and EUR.
Before the update, when we pressed this currency toggle, it changed the prices to either Euro or USD.

However, I've noticed that after the 4.7.17 update, it only works on the store's front page, which is "https://somedomain.com/store".
It does not work on the store's category pages (e.g., https://somedomain.com/store/category/someproduct).
When I click that button on store category pages, it does not happen anything.

I remember that this function used to work on the store category pages as well (actually, it would redirect to the store's front page when we clicked it before).
Please check this issue. I thought it happened with my custom theme only, but I checked with the default IPS theme, and the same issue occurred.

On 5/18/2024 at 5:28 AM, Matt said:

This is a fairly substantial claim, what evidence do you have to support this?

At the very least, even just looking at the posts in this thread, you can see that other people are already suffering from spam due to exposed passwords. Besides me, three or four of my friends who use the IPS platform are also struggling with spam and payment management issues due to exposed passwords. There are likely many IPS users who do not visit this forum frequently as well.

The important thing here is not how many people are experiencing this issue. (Should action only be taken when a thousand or ten thousand people report the same problem?) Everyone is aware that many people's IDs and passwords have been exposed due to hacks on other large platforms (even Facebook was hacked).

What I want to point out is that the current IPS lacks login security measures to block already exposed IDs and passwords. Two-factor authentication (2FA) and SMS verification are passive security methods that require users to set up and participate. Old accounts that have already left the forum cannot be protected with these login security methods since they no longer access the forum.

One of the simple ways for the forum software itself to proactively protect users' logins is to add email verification. Many websites are already using such features for this purpose.

Continuing part of this thread...
Actually this article is not about Spam post, but it is about Login Security option for IPS.

Recently, many IPS forums have experienced hacking incidents where active user IDs were compromised, leading to spam posts and misuse of stored credit card information in the store. To prevent this, login security is crucial. However, the current IPS login security options are not sufficient.
Although I believe these hacks are not directly obtained from IPS’s database but rather through already leaked ID and password combinations (probably), we still need to prepare for such risks.

While 2 Factor Authentication (2FA) is effective, as I mentioned before, it does not protect the accounts of users who have not yet set up 2FA. Receiving a login verification code via SMS is another method, but it is paid, and users must pre-register their phone numbers to use it. Therefore, the most effective way to protect logins is to send a verification code to the email associated with the account during login and to have the user verify it (already many websites are using this login security method as you know). Users do not need to enter any additional information or settings in the forum; they just need to check their email to log in. This is more user-friendly.

Some might argue that if the ID and password are exposed, their email login is also not secure. However, I disagree. Most users use email services from major platforms like Google and MSN, which send alert notifications to their apps or temporarily lock accounts if a login occurs from a different location or device. In this regard, email verification codes are deemed safer.

Recently, a hacker approached me again, and I asked if they could access the ID and password for invisioncommunity.com. 10 minutes later, they sent me around few hundreds of Invision Community IDs and passwords along with proof of successful logins. (I have sent the leaked IDs and passwords to you via 1:1 message. @Marc Stridgen & @Jim M)

Invision Community itself is not safe from such malicious login attempts.

Please consider this update seriously.

Thanks!

On 5/2/2024 at 1:22 AM, Stuart Silvester said:

We have released a patch to address this issue. Please go to AdminCP > System > Support and apply the patch from the first/top left box. If you do not see an option to install the patch, you already have the latest release.

Do you mean that it will be fixed when we update to the latest IPS version 4.7.16?
or need to install something other?

I'm not sure what is the Top-Left box other than Invision Community version.
 

7 minutes ago, Jim M said:

 

You can also use the logout all members and change password requirements to ensure that users need to reset their password prior to logging in again. In conjunction with requirements around password difficulty, this will help hopefully change passwords for your users.

 

Thanks for the suggestion. it would help to solve this issue.
Where can I find this option in IPS ACP? (logout all users at once and request all of them to reset their PW)

10 hours ago, Marc Stridgen said:

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?

Regarding this,

They demanded money to avoid leaking my website's ID and password information. To test their capabilities, I asked if they could obtain the ID and password for three other random IPS-based websites. Within 10 minutes, they sent me the credentials for these sites, involving thousands of accounts for each.

What's most alarming is that these ID and password combinations were indeed functional on other IPS websites.

Even though it's not IPS's fault, there needs to be better login protection. The current 2FA system is insufficient for securing all accounts. Currently, members must manually register 2FA after logging into our website.
Implementing email code verification at login would be a more effective method to protect all accounts.

9 hours ago, Marc Stridgen said:

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?

There isn't any way in which to actually get password from the database (for example, even from the database, I couldn't tell you what your password is). So if someone is sending you usernames and passwords that are genuine, its very likely they have gotten it from another source. We often find that users using the same password across multiple platforms are the ones that get targeted. 

Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database. 

If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP

Yes, I am aware that ID and passwords are not stored as plaintext in the database but are encrypted. It's possible that the hacker found various IPS sites using a different ID/PW saving tool and organized this information to send to me.

However, there is a major flaw in the IPS login system. I know that 2-Factor Authentication (2FA) is available and can be enforced, but this is useless for people who have already left the website. A hacker could log in using the leaked ID and password and then register their own 2FA key.

Like many other websites, why doesn't IPS require email-based code verification when logging in? If this were possible, it could securely protect all accounts, including those of people who no longer use the website.

My forum experienced the same issue. In my case, they weren't spamming articles (since only specific member groups can write articles on my forum), but they attempted to purchase products using the "saved credit card" information of genuine users.

I've noticed that this can happen on many IPS websites.
A few days ago, a hacker sent me a leaked list of IDs and passwords for my website, and I asked if they could obtain similar information for other IPS websites. They sent me leaked IDs and passwords for other IPS sites within 10 minutes. For me, this has been happening since March.

Not sure whether this is the security problem related with IPS or not (I'm using the latest version of IPS now), but just want to report a similar issue with the above.

2 minutes ago, DawPi said:

Enter "captcha" in the ACP search bar and.. you're done! 🙂

Ah I found a problem.
I just miss typed on captcha setting.
I thought captcha key can be used for different domains. Didn't know it was a unique for each domain.

Hello,

I'm building a new forum using IPS, but I forgot how to add a "security check" to the sign-up page. My old forum had it, as does invisioncommunity.com, but the new forum does not have a sign-up captcha.

I tried to check the options in ACP, but there was only an option to use a Captcha for spam post prevention.

This is my new forum,

and this is my old forum and https://invisioncommunity.com/ 's setting for Sign up Captcha

It would be great if anyone recall my memory for this captcha setting..
Thanks!!

Hello,

Is there any way to remove saved credit card info for all users at once? (on Stripe payment gateway)
I know we can remove it one-by-one from ACP but want to clear all stored card information on all accounts.

Any Idea?
 

24 minutes ago, hyprem said:

That's right, now we just would need the option to generate the qr based on the auth code to have an easy onboarding

Same opinion. Showing QR image is much easier to add token rather than typing security texts manually on Google Auth App.

Just now, hyprem said:

I just came across this issue too, if you want to set up 2FA anyway you can click on the "not able to scan" and enter the code to your 2FA App, it's not that convenient, but security is not always convenient 😉

Ye, 
Maybe I need to wait until Google or IPS fix this issue.
Our users will cry, and tickets will be flooded even though they can see the "not able to scan" option. 😥

1 minute ago, hyprem said:

Check this, it seems google has deprecated the service by generating QR codes.

 

OMG, thanks! didn't know it

Hello,

I'm trying to force Google 2FA auth to our forum users.
However, I just noticed that the Google 2FA Setup QR Code image is broken now.

How can I solve this issue? (I checked it on two different IPS forums, but it has the same results v4.7.4 and v4.7.12)
I remembered that it had worked well before...
People can add 2FA by manually typing code, but it is not good for user experience.

When I check that image URL manually, its format is like below, but its page was not found with 404 error.
https://chart.googleapis.com/chart?cht=qr&chs=200x200&chl=otpauth://totp/USEREMAIL@SOMETHINGEMAIL.com?secret=SECRECTCODE%26issuer=WEBSITENAME

Issue fixed. 
Sharing my approach for others to use.

If you created a Stripe Webhook on the Stripe website (https://dashboard.stripe.com/webhooks/),
Ensure that the number of webhooks does not exceed 16.

Excessive webhooks on Stripe may disrupt its functionality.

I resolved this by deleting duplicate, outdated, and unused Stripe webhooks.

9 minutes ago, Marc Stridgen said:

I have created a ticket on this for you, so we can take a closer look

Okay. where can I find my ticket address?

19 hours ago, Marc Stridgen said:

You would need to first of all upgrade your sites to the latest release. There have been fixes on stripe since the version you have said you are running there.

I've just updated my website to the latest Invision version, 4.7.12. 
But the same error is occurred.

Hello,

I've been using Stripe for years without any problems until now.
But I've just noticed today that when I tried to add a new Stripe payment method (like Apple Pay, Giropay etc), 
It shows this error on my Dashboard.

"There is not a webhook set up or it does not have all required event types enabled. The following events are required: source.chargeable, charge.succeeded, charge.failed, charge.dispute.created and charge.dispute.closed"

This is happening all of a sudden now because I successfully added another Stripe payment option a few days ago.
I set/made all webhook addresses on Stripe Dashboard properly and added Stipe's Webhook IP address to firewall whitelist
and... already added Stripe Card payment gateway is still working well now. I just can't add new Stripe Payment Method, or can't edit current one.

Is there any idea to solve this issue? or is it IPS itself issue at present suddenly?
Because I'm running two different Invision Community-based websites on different server, but both are showing same error (IPS Version 4.7.4).

I guess this issue is similar to the below thread, but not sure how they fixed it or not.

11 hours ago, Jim M said:

Are you able to place this in the notes field of your access details in the Client Area? This will allow our support staff to assist you. Otherwise, this will need to await Marc's shift tomorrow.

I added details in Client Area for "aimxxx.net" 
And you can check page which is named "testpage"

Also, I asked to my friends to check above issue
1. iPhone 14 Pro Max -> Same issue like above
2. iPhone 11 Pro -> Same issue Like above
3.  Galaxy Fold 4 -> Same issue Like above

4 hours ago, Marc Stridgen said:

Could you please provide me with a link to both, so I can take a look and see why one would be different than the other?

Sent compare addresses in 1:1 message.

2 hours ago, Marc Stridgen said:

The players and what they can play are determined by the device in which they are being played. Unfortunately it seems they are simply not able to be played by the embedded player on that device

Em.. but it is a bit weird.
On my friend website (who is using same IPS version with me), MP4 Video is playing well in my phone (iPhone 13).

Also I tried to upload same video from my friend, and it is not playable on my website only. 😭
 

Hello,

Today I've just realized that When I upload MP4 Video on my Page, it is not playable on mobile version. (in default IPS Theme too)

However, if I use PC version it is playing well.
I think i'm missing something.
Where can I find fix issue?

Thanks!

I have bought product, but can't find it on ACP store.

Does it support IPS 4.6? or only support 4.7 now?