Dang, and here I was using the bulletproof government health care reform act website passcode of 1,2,3,4. 
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
Don't speak of what you do not know. You can't change forum software like a pair of underwear. It's not even remotely close to being that easy. The downtime would be a few days and things would never match up exactly. There would be countless bugs, problems and user gripes that it's not even funny. So yeah, 98% of internet forums use VBulletin. Go talk to them about their software, not the people that use it.
A FREE site and you're bitching about software that costs money.
I ran a vBulletin site until a month ago. It is that easy. They send you emails, you go download the patch, run the installer, and merge your customizations into any updated templates. They have merge tools built into the Admin panel.
When you customize your installation, you are taking on the responsibility of living with merging your customizations when security updates are released to keep your users secure.
That said, I don't know what version they are on, so I can't tell if a patch was missed by the staff or not.
I thought they were still on vBulletin 3.x which is way out of date.
Edit:
They are running vBulletin 3.8.7
Why doesn't macrumors use SSL?
Why isn't macrumors using SSL/TLS on at least it's login pages? I tried to use it got a proxy error and a certificate warning about a godaddy cert. The proxy error came from a site that ironically claims to block hacking attempts, guess that's not working out real well is it? I'd ask for a refund on that service.
I ran a high volume web site for almost 15 years, started in 1996, that started on day one with an automatic referral to https on every single page. We saw constant hack attempts against us, but never once did anyone get in. I believe that the main reason for this was that most of the automated script kiddie and hacker tools weren't set up to handle HTTPS.
It costs almost nothing to do ssl/TLS, modern cpu's can handle them trivially, and certs are cheap. If your proxy service can't handle them, then sounds like it might be time for a new service.
Also, because you don't use https, my password on your site was unique among all the sites I use. I never trust site that don't use https by default at least on logins.
Why isn't macrumors using SSL/TLS on at least it's login pages? I tried to use it got a proxy error and a certificate warning about a godaddy cert. The proxy error came from a site that ironically claims to block hacking attempts, guess that's not working out real well is it? I'd ask for a refund on that service.
I ran a high volume web site for almost 15 years, started in 1996, that started on day one with an automatic referral to https on every single page. We saw constant hack attempts against us, but never once did anyone get in. I believe that the main reason for this was that most of the automated script kiddie and hacker tools weren't set up to handle HTTPS.
It costs almost nothing to do ssl/TLS, modern cpu's can handle them trivially, and certs are cheap. If your proxy service can't handle them, then sounds like it might be time for a new service.
Also, because you don't use https, my password on your site was unique among all the sites I use. I never trust site that don't use https by default at least on logins.
I ran one too. It is that easy. However my post was in reference to someone saying to switch software. Not that easy. (IE - different forum software).
Explain me how anyone can unconditionally translate a hash to a plain text password? That is, of course you can get a string which maps to the same user's password hash, but you can't determine if that string is effectively the user's password.
For example:
user: macfanboy
pass (not stored in the database): imamacfanboy
md5 hash (stored in the database): 811016fb8de4e4abfdbf84a3a50b38a6
Of course there are ways to crack this and get a string which maps to that hash, but you can't assume that guessed string will effectively be "imamacfanboy" since md5 is not a invertible function. In short, in most cases you can just guess a character sequence that fits a hash but not the user's intended character sequence (the effective password).
This said, hackers will be able to log into other forums which use the same hash function (e.g. md5(md5(...)), but logging into sites that use different hash schemes will be a harder work.
There are other md5 tricks that allow hackers to infer the effective string employed by the user as a password (e.g. using dictionaries) but this is an issue only for single-word, very easy passwords. But easy passwords are an issue no matter what hash is used.
I think someone tried to log in using my old user login credentials last night, because when I tried to log in it said that there had been to many failed attempts to log in and I would have to wait 15 minutes before I could try again, but that way my first attempt that night??
This morning I logged in no problem?
This morning I logged in no problem?
+1
I really can't see the big issue here. Most people use different user/pass for every login. At the very least everybody is using at least several usernames/passwords for various types of sites. One for all banking, one for forums, one for all health care, one for work, one for Facebook/Twitter, several for shopping. In the worst case you have to change the password on 5 sites or so. Takes 10 minutes. Real damage can only happen on a few sites one uses and they have separate passwords.
I don't understand anyone getting upset, **** happens sometimes !
I use a basic password for forums & a proper password for anything important. At the end of the day what is the worst someone can do if they log into your mac Rumours account, possibly say you love Microsoft
I use a basic password for forums & a proper password for anything important. At the end of the day what is the worst someone can do if they log into your mac Rumours account, possibly say you love Microsoft
I have changed my password, but I would prefer it if the admins would delete my account. I hardly ever visit the forums anymore, and it doesn't make sense to keep accounts open on sites I don't use. I don't need an account to keep up on the news.
My password here was the last place I was using that one. I loved that PW, it made me laugh when I typed it!
I'd love to see your password reminder hint - "Rhymes with Assword". LOL
----------
Why is searching now disabled? I've changed my password.
I think the issue is caused because you don't allow keychain to save the password. Why not? If you don't, people will just use dictionary words.
One of my banks got hacked recently all because they left a system exposed to the internet that kept personal data. No reason for it except everyone likes to keep data they collect just because. Now I have a 6 year flag on my credit report because those idiots were lax.
In this light, seeing MR get hacked is ...expected. I use a password manger and different passwords everywhere ever since Sony got hacked. It's just part of the system these days but most sites just don't announce it.
In this light, seeing MR get hacked is ...expected. I use a password manger and different passwords everywhere ever since Sony got hacked. It's just part of the system these days but most sites just don't announce it.
It took a macrumors security leak to happen for me to finally do what I wanted to do for a long time: to not know a single of my passwords!
I went on all my sites in 1password and generated a new unique looooong password for each sites... two hours.... But really happen to have done it.
I went on all my sites in 1password and generated a new unique looooong password for each sites... two hours.... But really happen to have done it.
Keychain won't remember my new password that is suggested by Apple. Instead, it keeps my old password that I had before I changed. How do I make it save my new password? I tried deleting it from the list of passwords in options but I can't get the new one to get saved there. I've reset my password about 7 times now.
Very happy that the email address associated with my account here is an old defunct one no longer in use......
I'm sure someone has already told you this comic is massively incorrect.
In the english words you don't count each individual letter as that assumes the attackers have never heard of a dictionary.
Doesn't matter how "secure" you think it was, if it wasn't encrypted it's compromised.
This.
Although this is obviously not a fault of MR, today's process has highlighted the uncertainty (for me, anyway) of using iCloud keychain. In fact, just using autofill doesn't seem to be working in Safari for me.