homepage Welcome to WebmasterWorld Guest from 54.196.196.62
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
someone seems to have snooped our website passwords
abersoch windsurfer




msg:3697311
 11:25 pm on Jul 12, 2008 (gmt 0)

We had couple of emails from our website members saying that someone had logged on to their account and changed/deleted stuff. We're now in the process of re-implementing using https for login/register.

We knew that this was a possibility one day without https.

Were we just unlucky because there are much much bigger and well known sites than us who don't use https and they have been around for much longer. Why don't they get targeted?

 

abersoch windsurfer




msg:3697322
 12:37 am on Jul 13, 2008 (gmt 0)

We've just found out that the two people who complained actually know each other and were complaining about the same account, one on behalf of the other. So now it sounds like something else has gone on .. but we don't know for sure so we're still running in emergency mode not letting people log on until we secure things

abersoch windsurfer




msg:3697424
 8:49 am on Jul 13, 2008 (gmt 0)

Turns out it was a domestic. The ex-girfriend got the ex-boyfriends password, logged on, deleted loads of stuff, denied all knowledge to boyfriend and then emailed us to say that her account had been compromised as well etc.

The thought of been targeted by a hacker having some fun looking for security loopholes and destroying everything scared us. Does that actually happen? It would be an easy way of destroying a website business.

eelixduppy




msg:3697727
 3:44 am on Jul 14, 2008 (gmt 0)

Interesting...

I'd recommend logging IP addresses of those that login if it's unique; it certainly would have helped in this case, but would in others, as well. Having the IP address of the "attacker" would aid in discovering secuirty holes and other attemps that person made on your system. In a case like this, however, you cannot really control what your users do with their passwords.

rocknbil




msg:3698082
 4:17 pm on Jul 14, 2008 (gmt 0)

TOTALLY agree. To use Selena Sol's words of "old" (in Internet terms) "Every user input is a potential hack." Logging every bit of info is an insight to see if anyone's trying, and plug holes before they succeed. Server logs often don't tell the whole story; I use logs from within the scripts for this, and log them before any data-cleansing routines.

We knew that this was a possibility one day without https.

While this is not a bad idea, SSL is not a cure-all. If your scripts have vulnerabilities that can be attacked from input, they can still be attacked over https. SQL or email injection are two examples. What SSL stops is data sniffing via port scanning or other "back door" techniques by encrypting the data en route.

Does that actually happen?

Search this message board for attacks on CMS systems and bulletin boards, it's rampant.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved