Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors Forums: Security Leak

QE2 said:
Why won't keychain save my new password!? TWICE, I've used Keychain's fancy long suggestion, but it won't remember it, or update the old info!?!?

I've tried deleting the old info, yet still refuses to ask me if I'd like to dave the new password... ffs...
Click to expand...

Logout of MR then go to the login page and type in your username and PW and DO NOT enter/login to the site yet. Now hit command-r to refresh the page and you will get a popup asking if you want to update the Keychain PW for this site. Accept the Keychain PW update then go ahead and login to MR with the new PW.
 
Last edited:
Can We End It?

Well, I think this thread has gone on WAY longer than it should have. Let's all agree on one thing, NEVER use the same password on more than one website, and always use a very strong password. Well, that's two things, but let's just agree. I'm pretty much done with this thread. If it hits 50 pages, I may come back and read the last few. I'd rather talk about Apple.
 
djtech42 said:
Here's another post from him:
http://forum.insidepro.com/viewtopic.php?p=152944&#152944

Subforum is "Forum Hashes"

He was probably trying to figure out the MacRumors VB3 salt algorithm here: http://forum.insidepro.com/viewtopic.php?p=152431&#152431

Here's a google search exposing all his accounts on blackhat websites:
https://www.google.com/search?clien...e=UTF-8&oe=UTF-8#q=clockwize0&rls=en&start=10
Click to expand...

I do believe there goes his statement about not using the information further. Probably get some cash out of this and exploit the users with weak passwords on other sites as well.
 
wovel said:
I always find it strange when sites that have totally irrelevant content prevent me from saving my password. Is Macrumors concerned someone stealing my laptop could post on their site?
Click to expand...

I think browsers should be ignoring that altogether, or at least give the user the option to ignore that request.

Yes, it's reckless and completely stupid to save your online banking password, but shouldn't we have that right?
 
larrylaffer said:
I think browsers should be ignoring that altogether, or at least give the user the option to ignore that request.

Yes, it's reckless and completely stupid to save your online banking password, but shouldn't we have that right?
Click to expand...

I saw that discussed before on the forums for the now abandoned Camino browser, and one of the developers replied that they weren't going to do it because if they did, banking sites and the like would block Camino users from using their site.

If you really want to change that behavior, you can learn to program and then modify an open source browser such as Firefox, Chromium, or the WebKit rendering engine used by Safari. You would also need to maintain those modifications, reapplying and possibly altering them as new browser updates are released. Failure to keep sufficiently up to date with the normal version of the browser would be a big security risk.

It wouldn't be super easy, but with an open source browser it is technically possible. Probably all you'd have to do is comment out the code that handles those HTML restrictions (extremely easy), but the trick would be finding the right portion of code, ensuring that you don't accidentally break another part of the browser, and repeating that effort whenever new browser versions are released.
 
Last edited:
Weaselboy said:
Logout of MR then go to the login page and type in your username and PW and DO NOT enter/login to the site yet. Now hit command-r to refresh the page and you will get a popup asking if you want to update the Keychain PW for this site. Accept the Keychain PW update then go ahead and login to MR with the new PW.
Click to expand...

Wow, big thanks!

I wonder why it's so convoluted...

I don't suppose you know what's happened to the keys that KeyChain suggested I use; you know, when you're on the password reset page?
 
WTF! They wait DAYS to tell us...hell, they could have posted it on Twitter to tell us change it ASAP.
Click to expand...

Why weren't the passwords encrypted?

I find it absurd that MacRumors.com moderators spend so much time policing views and ideas -- particularly those critical of Apple, rather than actually spending more time on improving the security of the site.

Maybe the mods and arn as the owner can take a step back and reflect about their lapses.
Click to expand...


And still people argue that we don't need the down arrows back.......sigh. :(
 
QE2 said:
Wow, big thanks!

I wonder why it's so convoluted...

I don't suppose you know what's happened to the keys that KeyChain suggested I use; you know, when you're on the password reset page?
Click to expand...

It is not supposed to be that convoluted... there is something odd about the way MR handles passwords because since day one with Mavs everybody has had to fuss around with that refresh trick to get Keychain to remember the password. It seems to work fine on many other sites.

If you did not get it to save those previous PW suggestions, they are likely gone. You can launch the Keychain app and look on the list of saved passwords and see if you have multiple entries for this site, but I doubt you got them saved.
 
Weaselboy said:
It is not supposed to be that convoluted... there is something odd about the way MR handles passwords because since day one with Mavs everybody has had to fuss around with that refresh trick to get Keychain to remember the password. It seems to work fine on many other sites.
Click to expand...

What about other vBulletin-based sites? I don't use iCloud keychain, but I suspect the issues result from iCloud keychain being unable to properly handle certain HTML in vBulletin's default theme. I occasionally get similar issues with LastPass (on various types of sites), but it has three ways for users to work around it (autofill instead of autologin, copying & pasting from the vault, or manually editing the form fields).
 
djtech42 said:
I'm wondering if it might have been some random person's account he logged into with the cracked hash.
Click to expand...

maybe not completely random.. probably chose that one because of the user name..

but yeah, it's certainly possible (probable?) that's not an account he created himself.
 
MacRumors said:
Why did I not get an email sooner?

According to our email service, sending such a large burst of email in one day to all of our users will result in many of those emails getting automatically blocked. As such, we are sending emails out over time to ensure they reach your inbox.

Article Link: MacRumors Forums: Security Leak
Click to expand...

Nonsense! I did not get an email sooner because you initially didn't bother to send it. It took ages for you to inform users what was going on, and then it took comments from users to get you to post this thread on the front page rather than the feedback section of the forum, and then another comment that there should be some global notice to raise attention to it.

Hiding behind a 'technical bottleneck' is a weak argument. Poor form Arn!
 
And I had put in all that work memorizing the 30 character password that 1Password had generated. Now to start all over again...

:eek:
 
TheChemist said:
And I had put in all that work memorizing the 30 character password that 1Password had generated. Now to start all over again...

:eek:
Click to expand...

Are you being serious? The whole point of a password manager is that it remembers your passwords for you. For most passwords you generate with it (exceptions being things like OS logins), you don't need to memorize them. The only password you really need to know is your 1Password master password. 1Password has browser add-ons available so that it can autofill your passwords on websites, and it can sync with your other computers and mobile devices.

Maybe you were being sarcastic, but sometimes it's hard to tell with text on the Internet.
 
Primejimbo said:
What would be a good/decent hardware firewall appliance for home use? is it worth getting this since it's just for home and personal use?
Click to expand...

We sold the SonicWall devices. I've heard people having good luck with WatchGuard and the low end Cisco ASA5505. From experience, the SonicWall was easier to install and setup and came 'full on' out of the box. Adding 'pin holes' was a little awkward as well as setting up port forwarding/etc. I have no experience with the WatchGuards. The Cisco ASA needs to be setup by someone with a very good knowledge of Cisco IOS, and your network layout. There are some IOS setups that can be found on the web, but altering them can be a daunting task and someone who isn't good with IOS can easily lock themselves out of their firewall, out of the internet, and out of their network...

And most important is to check your logs periodically. You don't need to worry about what's blocked, but what traverses the device. Charter, we were getting hit on average 80 times an hour. All 'script kiddie' stuff. Every now and then, we'd get a more nuanced attack...

As far as 'home/personal use', I guess it depends... I always had a firewall, just in case. I kept information like bank records and such, and then business records. Pretty blasé stuff; but so is my underwear drawer, and I'd rather not have people in either one...
 
BillyBobBongo said:
Nonsense! I did not get an email sooner because you initially didn't bother to send it. It took ages for you to inform users what was going on, and then it took comments from users to get you to post this thread on the front page rather than the feedback section of the forum, and then another comment that there should be some global notice to raise attention to it.

Hiding behind a 'technical bottleneck' is a weak argument. Poor form Arn!
Click to expand...

So do you know exactly when Arn sent the first batch of emails? He may have done that way before it was mentioned in this thread?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back