Author Topic: Unable to log in - Password reset not working  (Read 14033 times)

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: Unable to log in - Password reset not working
« Reply #15 on: May 30, 2020, 12:09:04 PM »
It's not a password compromise since the forum has been hacked.
To protect accounts:
In the SMF forum the administrator has the option to reset passwords. To reactivate the account you must enter the new password.
To do this you must first enter your email "REGISTRATION ORIGIN" to receive the reactivation link.
- In case the email is different from the original one, it is lost.
- In case the user profile e-mail is deleted, it is lost.
- In case the MySQL database is corrupted, it is lost.
- In the case where the MySQL database has been modified, it's lost
It should be understood that the Comodo forum works with the SMF application. This application has all the scripts under PHP associated with a MySql database which contains the IDs and passwords of the user accounts and other values.
All MySql databases must be backed up every day, preferably at night. This is an essential function because in case of a crash, there is no means of restoring if the dump is non-existent.

Just being curious... for what reason can't members login at the moment?
Is it another reason than that their passwords were being compromised?
Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline login9

  • Newbie
  • *
  • Posts: 6
Re: Unable to log in - Password reset not working
« Reply #16 on: May 30, 2020, 12:33:31 PM »
It's not a password compromise since the forum has been hacked.
To protect accounts:
In the SMF forum the administrator has the option to reset passwords. To reactivate the account you must enter the new password.
To do this you must first enter your email "REGISTRATION ORIGIN" to receive the reactivation link.
- In case the email is different from the original one, it is lost.
- In case the user profile e-mail is deleted, it is lost.
- In case the MySQL database is corrupted, it is lost.
- In the case where the MySQL database has been modified, it's lost
It should be understood that the Comodo forum works with the SMF application. This application has all the scripts under PHP associated with a MySql database which contains the IDs and passwords of the user accounts and other values.
All MySql databases must be backed up every day, preferably at night. This is an essential function because in case of a crash, there is no means of restoring if the dump is non-existent.
So is the case that no matter what I try to get  an email reset link my details are lost?

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: Unable to log in - Password reset not working
« Reply #17 on: May 30, 2020, 01:20:12 PM »
It's not a password compromise since the forum has been hacked.
To protect accounts:
In the SMF forum the administrator has the option to reset passwords. To reactivate the account you must enter the new password.
To do this you must first enter your email "REGISTRATION ORIGIN" to receive the reactivation link.
- In case the email is different from the original one, it is lost.
- In case the user profile e-mail is deleted, it is lost.
- In case the MySQL database is corrupted, it is lost.
- In the case where the MySQL database has been modified, it's lost
It should be understood that the Comodo forum works with the SMF application. This application has all the scripts under PHP associated with a MySql database which contains the IDs and passwords of the user accounts and other values.
All MySql databases must be backed up every day, preferably at night. This is an essential function because in case of a crash, there is no means of restoring if the dump is non-existent.

Thank you for explaining, it clarifies a lot.

You mention that "In case the email is different from the original one, it is lost" does that also mean that once you make a typo (mistake) in entering the email when resetting the password and then retry to reset the password again but now entering the correct email it is then lost too? Or does the user profile survive when making a typo in entering the email? Sounds critical to me.

Maybe the above is not applicable at all when all MySql databases are restored from backup and all users can login again after resetting their passwords, I don't know that maybe this needs also some clarification.



Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: Unable to log in - Password reset not working
« Reply #18 on: May 30, 2020, 01:26:28 PM »
So is the case that no matter what I try to get  an email reset link my details are lost?
As explained above
The user's login and password is stored in the SQL database (encrypted).
During the password reset request, the login/e-mail when opening the account is compared with those registered in the SQL database if it matches with the email entered for password reactivation, it's Ok, otherwise there is no reactivation.
If the base is damaged, it must be repaired, if this is not possible, it must be restored at the earliest possible date.
Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: Unable to log in - Password reset not working
« Reply #19 on: May 30, 2020, 01:40:13 PM »
Thank you for explaining, it clarifies a lot.

You mention that "In case the email is different from the original one, it is lost" does that also mean that once you make a typo (mistake) in entering the email when resetting the password and then retry to reset the password again but now entering the correct email it is then lost too? Or does the user profile survive when making a typo in entering the email? Sounds critical to me.

Maybe the above is not applicable at all when all MySql databases are restored from backup and all users can login again after resetting their passwords, I don't know that maybe this needs also some clarification.

If you make a typing error, it is not serious, just correct it, but the referrer email must be in the SQL table to be validated.
Then, the script managing the sending of the email takes over.
It is possible that the procedure call under PHP in relation to the SQL database managing the reactivation is also defective, so it is the administrator who intervenes in this case.

Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: Unable to log in - Password reset not working
« Reply #20 on: May 30, 2020, 01:59:23 PM »
Is the MySql databases already restored from backup at this moment?

Besides the MySql databases backups are there also backups made / available of all the PHP scripts (and all other needed files) involved in running this forum? And are those backups restored as well as we speak?

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: Unable to log in - Password reset not working
« Reply #21 on: May 30, 2020, 05:22:14 PM »
Hmmm, the forum almost looks like abandoned. Not much member activity and no new members today . . .

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26534
Re: Unable to log in - Password reset not working
« Reply #22 on: May 30, 2020, 05:40:23 PM »
Is the MySql databases already restored from backup at this moment?

Besides the MySql databases backups are there also backups made / available of all the PHP scripts (and all other needed files) involved in running this forum? And are those backups restored as well as we speak?

Zorkas is speaking from experience with his own website which also uses SMF software.

We haven't had any details from Comodo other than they are working on it. I am sorry I can't provide more information.. I'd love to know and share with you guys.

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: Unable to log in - Password reset not working
« Reply #23 on: May 31, 2020, 05:48:33 AM »
Is the MySql databases already restored from backup at this moment?

In this case it is a hacking of the MySql database where the user IDs containing the name (nickname), the email, the password, the IP
The password is coded SHA-1.
It is not interesting for the hacker to decipher the password (SHA-1) because it has been reset by the administrator.
Concerning IPs, many are dynamic so with change by the ISP periodically.
The only interest is the e-mails which often on a forum are only pseudonyms.
In the case of a database hack, you have to search the connection logs on the server to deduce the source, I think Comodo takes care of it to find the flaw, it takes time.
There is no point in rushing a restoration until safety is restored.
For the PHP language, like all programming, it has security updates that must be applied in relation to SMF, which has also undergone updates.
The PHP <=> MySql relationship needs to be upgraded on both sides to avoid hacking
Only administrators have the rights to access the configuration - repair - upgrade - backup of an SMF forum.
Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: Unable to log in - Password reset not working
« Reply #24 on: May 31, 2020, 06:12:19 AM »
Understandably that restoration takes time and that Comodo needs time to find the source of the attack so that they can investigate it further and hand it over to higher authorities.
Of course safety comes first, no need to rush things.

You say that "The only interest is the e-mails ..." can you elaborate on why this is valuable to the attacker?
I mean if they are not interested in deciphering the database passwords how would they make money from the database then?
They are after making money and without knowing the correct passwords they can't do anything with both the user profiles and their emails addresses.

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 1739
Re: Unable to log in - Password reset not working
« Reply #25 on: May 31, 2020, 06:45:34 AM »
What's the point ?
To know the emails, it allows to try to hack and to know the messages on the server where the mailbox is hosted.
The resale value for an attacker is the utility of the SQL database and its importance
The value is subject to the profile of the company and its employees, here it's not a bank or the white house so it's a lesser value.
It is above all the fact of inducing a piracy effect to reduce the value of the company that is most important, I think...
Windows 10 Pro x64 Build 19042.964 - Comodo CIS Pro v.12.2.2.8012 - Linux 20.04

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1791
  • 'Your best teacher is your last mistake'
    • Schneier on Security
Re: Unable to log in - Password reset not working
« Reply #26 on: May 31, 2020, 07:02:40 AM »
Hacking a Security Company is 'usually' a challenge and gives them prestige for a start, but the sale of thousands / millions of valid email addresses is valuable in its own right . . . primarily for Phishing and spam attacks

It doesn't take many successful Phishing emails to make it very worthwhile. Run any of your old emails through here and it's quite an eye opener: https://haveibeenpwned.com/
I mean if they are not interested in deciphering the database passwords how would they make money from the database then?
They are after making money and without knowing the correct passwords they can't do anything with both the user profiles and their emails addresses.
Ploget

All Win 10 x 64 Pro - 20H2 (19042.964) / CIS 12.2.2.8012
Comodo Forum Policy
“If you think you are too small to make a difference, try sleeping with a mosquito”

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: Unable to log in - Password reset not working
« Reply #27 on: May 31, 2020, 07:45:38 AM »
What's the point ?
To know the emails, it allows to try to hack and to know the messages on the server where the mailbox is hosted.
The resale value for an attacker is the utility of the SQL database and its importance
The value is subject to the profile of the company and its employees, here it's not a bank or the white house so it's a lesser value.
It is above all the fact of inducing a piracy effect to reduce the value of the company that is most important, I think...

Clear, understood.
Liked the comparison with a bank or a white house. :)

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1002
Re: Unable to log in - Password reset not working
« Reply #28 on: May 31, 2020, 07:51:49 AM »
Hacking a Security Company is 'usually' a challenge and gives them prestige for a start, but the sale of thousands / millions of valid email addresses is valuable in its own right . . . primarily for Phishing and spam attacks

Got it.

It doesn't take many successful Phishing emails to make it very worthwhile. Run any of your old emails through here and it's quite an eye opener: https://haveibeenpwned.com/

I've never cheched that site.
Does it report about web-email addresses only or also about ISP-email addresses?

Offline Ploget

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1791
  • 'Your best teacher is your last mistake'
    • Schneier on Security
Re: Unable to log in - Password reset not working
« Reply #29 on: May 31, 2020, 07:55:15 AM »
All emails
Does it report about web-email addresses only or also about ISP-email addresses?
Ploget

All Win 10 x 64 Pro - 20H2 (19042.964) / CIS 12.2.2.8012
Comodo Forum Policy
“If you think you are too small to make a difference, try sleeping with a mosquito”

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek