Welcome to WebmasterWorld Guest from 54.166.152.121

Forum Moderators: phranque

Message Too Old, No Replies

someone seems to have snooped our website passwords

     
11:25 pm on Jul 12, 2008 (gmt 0)

5+ Year Member



We had couple of emails from our website members saying that someone had logged on to their account and changed/deleted stuff. We're now in the process of re-implementing using https for login/register.

We knew that this was a possibility one day without https.

Were we just unlucky because there are much much bigger and well known sites than us who don't use https and they have been around for much longer. Why don't they get targeted?

12:37 am on Jul 13, 2008 (gmt 0)

5+ Year Member



We've just found out that the two people who complained actually know each other and were complaining about the same account, one on behalf of the other. So now it sounds like something else has gone on .. but we don't know for sure so we're still running in emergency mode not letting people log on until we secure things
8:49 am on Jul 13, 2008 (gmt 0)

5+ Year Member



Turns out it was a domestic. The ex-girfriend got the ex-boyfriends password, logged on, deleted loads of stuff, denied all knowledge to boyfriend and then emailed us to say that her account had been compromised as well etc.

The thought of been targeted by a hacker having some fun looking for security loopholes and destroying everything scared us. Does that actually happen? It would be an easy way of destroying a website business.

3:44 am on Jul 14, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Interesting...

I'd recommend logging IP addresses of those that login if it's unique; it certainly would have helped in this case, but would in others, as well. Having the IP address of the "attacker" would aid in discovering secuirty holes and other attemps that person made on your system. In a case like this, however, you cannot really control what your users do with their passwords.

4:17 pm on Jul 14, 2008 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member



TOTALLY agree. To use Selena Sol's words of "old" (in Internet terms) "Every user input is a potential hack." Logging every bit of info is an insight to see if anyone's trying, and plug holes before they succeed. Server logs often don't tell the whole story; I use logs from within the scripts for this, and log them before any data-cleansing routines.

We knew that this was a possibility one day without https.

While this is not a bad idea, SSL is not a cure-all. If your scripts have vulnerabilities that can be attacked from input, they can still be attacked over https. SQL or email injection are two examples. What SSL stops is data sniffing via port scanning or other "back door" techniques by encrypting the data en route.

Does that actually happen?

Search this message board for attacks on CMS systems and bulletin boards, it's rampant.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month