Jipa331

7 minutes ago, Jim M said:

 

You can also use the logout all members and change password requirements to ensure that users need to reset their password prior to logging in again. In conjunction with requirements around password difficulty, this will help hopefully change passwords for your users.

 

Thanks for the suggestion. it would help to solve this issue.
Where can I find this option in IPS ACP? (logout all users at once and request all of them to reset their PW)

10 hours ago, Marc Stridgen said:

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?

Regarding this,

They demanded money to avoid leaking my website's ID and password information. To test their capabilities, I asked if they could obtain the ID and password for three other random IPS-based websites. Within 10 minutes, they sent me the credentials for these sites, involving thousands of accounts for each.

What's most alarming is that these ID and password combinations were indeed functional on other IPS websites.

Even though it's not IPS's fault, there needs to be better login protection. The current 2FA system is insufficient for securing all accounts. Currently, members must manually register 2FA after logging into our website.
Implementing email code verification at login would be a more effective method to protect all accounts.

9 hours ago, Marc Stridgen said:

I am curious as to how you have "notices this can happen on many IPS websites"? Could you perhaps elaborate on that?

There isn't any way in which to actually get password from the database (for example, even from the database, I couldn't tell you what your password is). So if someone is sending you usernames and passwords that are genuine, its very likely they have gotten it from another source. We often find that users using the same password across multiple platforms are the ones that get targeted. 

Of course, if you have more specific information, please do feel free to contact our accounts department on the contact us link below (or pm me, that's not a problem). But a list of usernames and passwords being sent to you won't have come from your IPS database, as they simply aren't stored in a manner that is readable and would allow that, even with full access to a sites database. 

If you have many customer accounts that have been compromised, I would advise you force all users to change passwords on your site, which you can do from the members section of your admin CP

Yes, I am aware that ID and passwords are not stored as plaintext in the database but are encrypted. It's possible that the hacker found various IPS sites using a different ID/PW saving tool and organized this information to send to me.

However, there is a major flaw in the IPS login system. I know that 2-Factor Authentication (2FA) is available and can be enforced, but this is useless for people who have already left the website. A hacker could log in using the leaked ID and password and then register their own 2FA key.

Like many other websites, why doesn't IPS require email-based code verification when logging in? If this were possible, it could securely protect all accounts, including those of people who no longer use the website.

My forum experienced the same issue. In my case, they weren't spamming articles (since only specific member groups can write articles on my forum), but they attempted to purchase products using the "saved credit card" information of genuine users.

I've noticed that this can happen on many IPS websites.
A few days ago, a hacker sent me a leaked list of IDs and passwords for my website, and I asked if they could obtain similar information for other IPS websites. They sent me leaked IDs and passwords for other IPS sites within 10 minutes. For me, this has been happening since March.

Not sure whether this is the security problem related with IPS or not (I'm using the latest version of IPS now), but just want to report a similar issue with the above.

2 minutes ago, DawPi said:

Enter "captcha" in the ACP search bar and.. you're done! 🙂

Ah I found a problem.
I just miss typed on captcha setting.
I thought captcha key can be used for different domains. Didn't know it was a unique for each domain.

Hello,

I'm building a new forum using IPS, but I forgot how to add a "security check" to the sign-up page. My old forum had it, as does invisioncommunity.com, but the new forum does not have a sign-up captcha.

I tried to check the options in ACP, but there was only an option to use a Captcha for spam post prevention.

This is my new forum,

and this is my old forum and https://invisioncommunity.com/ 's setting for Sign up Captcha

It would be great if anyone recall my memory for this captcha setting..
Thanks!!

Hello,

Is there any way to remove saved credit card info for all users at once? (on Stripe payment gateway)
I know we can remove it one-by-one from ACP but want to clear all stored card information on all accounts.

Any Idea?
 

24 minutes ago, hyprem said:

That's right, now we just would need the option to generate the qr based on the auth code to have an easy onboarding

Same opinion. Showing QR image is much easier to add token rather than typing security texts manually on Google Auth App.

Just now, hyprem said:

I just came across this issue too, if you want to set up 2FA anyway you can click on the "not able to scan" and enter the code to your 2FA App, it's not that convenient, but security is not always convenient 😉

Ye, 
Maybe I need to wait until Google or IPS fix this issue.
Our users will cry, and tickets will be flooded even though they can see the "not able to scan" option. 😥

1 minute ago, hyprem said:

Check this, it seems google has deprecated the service by generating QR codes.

 

OMG, thanks! didn't know it

Hello,

I'm trying to force Google 2FA auth to our forum users.
However, I just noticed that the Google 2FA Setup QR Code image is broken now.

How can I solve this issue? (I checked it on two different IPS forums, but it has the same results v4.7.4 and v4.7.12)
I remembered that it had worked well before...
People can add 2FA by manually typing code, but it is not good for user experience.

When I check that image URL manually, its format is like below, but its page was not found with 404 error.
https://chart.googleapis.com/chart?cht=qr&chs=200x200&chl=otpauth://totp/USEREMAIL@SOMETHINGEMAIL.com?secret=SECRECTCODE%26issuer=WEBSITENAME

Issue fixed. 
Sharing my approach for others to use.

If you created a Stripe Webhook on the Stripe website (https://dashboard.stripe.com/webhooks/),
Ensure that the number of webhooks does not exceed 16.

Excessive webhooks on Stripe may disrupt its functionality.

I resolved this by deleting duplicate, outdated, and unused Stripe webhooks.

9 minutes ago, Marc Stridgen said:

I have created a ticket on this for you, so we can take a closer look

Okay. where can I find my ticket address?

19 hours ago, Marc Stridgen said:

You would need to first of all upgrade your sites to the latest release. There have been fixes on stripe since the version you have said you are running there.

I've just updated my website to the latest Invision version, 4.7.12. 
But the same error is occurred.

Hello,

I've been using Stripe for years without any problems until now.
But I've just noticed today that when I tried to add a new Stripe payment method (like Apple Pay, Giropay etc), 
It shows this error on my Dashboard.

"There is not a webhook set up or it does not have all required event types enabled. The following events are required: source.chargeable, charge.succeeded, charge.failed, charge.dispute.created and charge.dispute.closed"

This is happening all of a sudden now because I successfully added another Stripe payment option a few days ago.
I set/made all webhook addresses on Stripe Dashboard properly and added Stipe's Webhook IP address to firewall whitelist
and... already added Stripe Card payment gateway is still working well now. I just can't add new Stripe Payment Method, or can't edit current one.

Is there any idea to solve this issue? or is it IPS itself issue at present suddenly?
Because I'm running two different Invision Community-based websites on different server, but both are showing same error (IPS Version 4.7.4).

I guess this issue is similar to the below thread, but not sure how they fixed it or not.

11 hours ago, Jim M said:

Are you able to place this in the notes field of your access details in the Client Area? This will allow our support staff to assist you. Otherwise, this will need to await Marc's shift tomorrow.

I added details in Client Area for "aimxxx.net" 
And you can check page which is named "testpage"

Also, I asked to my friends to check above issue
1. iPhone 14 Pro Max -> Same issue like above
2. iPhone 11 Pro -> Same issue Like above
3.  Galaxy Fold 4 -> Same issue Like above

4 hours ago, Marc Stridgen said:

Could you please provide me with a link to both, so I can take a look and see why one would be different than the other?

Sent compare addresses in 1:1 message.

2 hours ago, Marc Stridgen said:

The players and what they can play are determined by the device in which they are being played. Unfortunately it seems they are simply not able to be played by the embedded player on that device

Em.. but it is a bit weird.
On my friend website (who is using same IPS version with me), MP4 Video is playing well in my phone (iPhone 13).

Also I tried to upload same video from my friend, and it is not playable on my website only. 😭
 

Hello,

Today I've just realized that When I upload MP4 Video on my Page, it is not playable on mobile version. (in default IPS Theme too)

However, if I use PC version it is playing well.
I think i'm missing something.
Where can I find fix issue?

Thanks!

I have bought product, but can't find it on ACP store.

Does it support IPS 4.6? or only support 4.7 now?

Hello,

I noticed this issue recently.
From 1~2 months ago, when customer paid for One "Invoice", commerce system makes Two "Purchases" sometimes.
Due to this, License Key delivery system (a.k.a plugin SULK) is delivering key two times.
I already contacted to the SULK Plugin developer, and he said this duplicated "Purchase" issue is coming from IPS system itself.
How can I fix this issue?
Is it well known bug?

Thanks.

(For the below case, invoice number #236521 makes two purchases, #117457 and #117458),

Can I use version 20 on IPS 4.4.9?

or is it only for IPS4.5.x?

@AnonymousDev

How did you update your PHP?

I've got same problem as you but when I tried to update my PHP version, it just shows same HTTP 500 Error message with an another html style.

Hi,

I'm also planning to make a multi-language site which supports auto-translation.

How did you solve this problem? even I've installed language packs in ACP, I cannot see any language change option in my website.

would you help me out?

Thanks !