Major Flaw in Security

[marcotheminer]

This just recently came to my attention.

How is it that an account's email can be changed without verification from said email? Likewise with password changing..

This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)

[mprep]

It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.

[marcotheminer]

It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.

Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.

Layout, avatars and performance can come at a later date. Security needs to come tomorrow.

[Dare]

It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.

Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.

Layout, avatars and performance can come at a later date. Security needs to come tomorrow.

Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).

[FunnyHat43]

It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.

Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.

Layout, avatars and performance can come at a later date. Security needs to come tomorrow.

Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).

This would rely very heavily on automation which has it's own vulnerabilities.

[Dare]

It was noted many times before in several threads and people have mentioned that it should be included in the new forum software. It didn't have it's dedicated thread then (well, now it does ). I do agree; a lot of hacks happen due to said flaw as hackers once gained access to the account can simply change the email and password.

Security aspects should be implemented immediately in this forum version. I feel waiting another year just for these much needed security upgrades would be too long.

Layout, avatars and performance can come at a later date. Security needs to come tomorrow.

Agreed; security is important, particularly so on a forum dedicated to cryptography. Though it's possible to recover accounts after their email has been changed, the process is cumbersome and time-consuming. I'm certain a plugin for email verification already exists for SMF, but it wouldn't be particularly hard to create one independently if necessary (generate a password reset key and store it in a database, send an email, invalidate unused keys after ~24 hours).

This would rely very heavily on automation which has it's own vulnerabilities.

At the moment, there's no email verification required to change an account's email; anyone with the password can change the email to anything they choose, with no confirmation required. Regaining control of an account would require the same manual process, but email verification would make it more difficult for accounts to be stolen in the first place by requiring confirmation from the second factor before allowing it (and consequently, the way for the original owner to reset the account's password) to be changed.

So long as there are no vulnerabilities in the email confirmation system (which should be easy enough to secure; it's a common practice for many sites, and relatively simple to implement) then the only disadvantage will be to the people buying and selling accounts, who will have to add another step to their process.

[ranochigo]

This just recently came to my attention.

How is it that an account's email can be changed without verification from said email? Likewise with password changing..

This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)

This should be implemented to prevent hackers from gaining full access to the account. However, some people don't use a real address to register or use temporary email to register a account. The forum don't send email verification to activate your account, most people don't bother to use an actual email. If they need to change email or password, they would have a hardtime.

[marcotheminer]

This just recently came to my attention.

How is it that an account's email can be changed without verification from said email? Likewise with password changing..

This should be implemented asap, before the new forum (another year will be too long of a wait for such an issue)

This should be implemented to prevent hackers from gaining full access to the account. However, some people don't use a real address to register or use temporary email to register a account. The forum don't send email verification to activate your account, most people don't bother to use an actual email. If they need to change email or password, they would have a hardtime.

Then force users to use actual email addresses, problem solved.

[Gleb Gamow]

I just started a thread outlining another security concern: https://bitcointalk.org/index.php?topic=832742.0

[marcotheminer]

I just started a thread outlining another security concern: https://bitcointalk.org/index.php?topic=832742.0

Will take a look now. Theymos, this issue and Phinneaus Gage's (Gleb Gamow's) needs to be fixed (even if it is temporary) asap, please!

[awesome31312]

Bitcointalk's account security is a joke. I received '0' emails about my account creation details

[marcotheminer]

Wouldn't mind your reply to the above posts, Theymos.

[Dark_Vader]

I agree with you,this should be fixed!

[Quickseller]

Wouldn't mind your reply to the above posts, Theymos.

did you not see the huge fiscao with bayuo/zedicus in meta a few months ago? If you are taking possession of an account you need to get a signed message from a btc address on an unedited post that is "old". This especially applies to taking accounts as collateral for a loan as the process to lend is much quicker then to buy an account.

The only exception to this is if you are lending to someone who farms accounts but the reason you would lend to an account farmer is (This really only applies if you are buying accounts and have bought from them before)

[PangPang]

Bitcointalk's account security is a joke. I received '0' emails about my account creation details

Yup because it doesn't require you to do any email confirmation. In fact, you can register a bitcointalk account with an email like geja1ovf13lpjeo@jog67enfergn.com

[awesome31312]

Bitcointalk's account security is a joke. I received '0' emails about my account creation details

Yup because it doesn't require you to do any email confirmation. In fact, you can register a bitcointalk account with an email like geja1ovf13lpjeo@jog67enfergn.com

Why not just make the email field optional then?

[hilariousandco]

It probably should be removed if a confirmation is not required. People who use fake emails just leave themselves wider open to be hacked.

[Muhammed Zakir]

It probably should be removed if a confirmation is not required. People who use fake emails just leave themselves wider open to be hacked.

I agree. IMO an email should be send when registering and when changing 'Account Related Settings'.

   ~~MZ~~

[yeXIABC]

Hacker let we cannot update the individual forum speech record？

[greatwolf_]

I completely agree with this feature request 100%. My original account which got compromised, could have been prevented if something as simple as email confirmation was in place. In fact, I made this exact suggestion on my hacked account thread.

As of this time, I still haven't received any reply to my recovery PM from theymos (and yes I followed the recovery procedures outline here). I don't understand how a cryptocurrency forum that deals with money can be so lax in its security department. All the hacker has to do is guess the right PW or answer security question correctly and it's game over.