A post made on my account

[sol35]

So, it has come to my attention that there was a post made by my account in tbe touhou 14.5 thread, that actually wasn't made by me. I know this because, I haven't made a post on here in around 2-4 months. I was wondering if my account has been accessed by someone other than myself.

Edit:

Actually make that two posts in that thread.

[Tengukami]

The posts in question, for reference:

#1

#2

Huh. Interesting responses.

Stupid question, but you don't know anyone on this site in person, do you?

[MatsuriSakuragi]

Sure enough, those two posts were made by different IP addresses from what you usually appear to post from (checking your post history into 2013, at the very least).

There does seem to be another MotK person possibly in the same range who also posted in the 14.5 thread, but the posting style is different. In fact, the IP address for #2 in Ammy's post there and this post are identical! Therefore, it appears that Psyduckxoxo may be responsible for this.

#1 doesn't match up with anyone else, it seems,

That's just what the facts show, here. Do you have any thoughts on who this is?

Also, change your password so this doesn't happen again.

[sol35]

Thanks, and I have changed my password.  As for Tengukami's question, I don't know anyone on MOTK in real life, but I do have like three skype chats with a couple of other people from motk, but they aren't the type to do this as far as I know.

Question: Is there anyway to remove those posts?

[MatsuriSakuragi]

Thanks, and I have changed my password.  As for Tengukami's question, I don't know anyone on MOTK in real life, but I do have like three skype chats with a couple of other people from motk, but they aren't the type to do this as far as I know.

Question: Is there anyway to remove those posts?

I think we just found our answer. Look above your post (it was originally unapproved due to low post count). Figured you'd be interested in the details. Looks like we got an edgemeister with a chip on his shoulder.

I'll remove the posts after we get all of this resolved.

[Drake]

somebody hasn't stopped being 13

[helvetica]

The "flaw" is that said users never changed their display name to be different than their username, despite this being highly recommended. With that in mind I poked around and tightened a few security options (just in case their session was genuinely hijacked instead of just weak passwords at play), and I fixed a couple of long-standing bugs while I was in there because I was bored.

[Tengukami]

People who type "'sploit" are edgy tryhards. QED.

(It takes just as many characters to type "exploit"! Who are they trying to impress?)

[Mеа]

Hmm nope the "'sploit" is still present (I do not know who this account is but they were active recently. I am just proving a point. Sorry to them, I promise I did nothing with the account aside from this post).

Haha, you guys are being quite dickish about this. I was trying to be helpful but then you come and call me an "edgy tryhard" for the way I talk? It looks like someone has a droopy self-estheem they need to shore up by acting big on the webnets haha. (Yes yes yes, I know this will be commented on. The low self-estheem of that user must be boosted after all. It is the holidays, take this one. You clearly need it more than I do haha. :-) ) Maybe I should use this "'sploit" to take your account info? Naw naw naw, I am not that petty. You have a good time pointing out flaws in those with more worth than you madam. :-)

Well I do not think most of your users are at risk but I was hoping to see more open mindedness applied to the resolving of this problem. I suppose that is to be expected from an anime fan message forum. It probably does not matter. I think I have spent longer pointing it out than I need to anyway. If this problem comes up you can contact psyduck and I will probably give a hand (he will certainly spaz out when he gets security-related messages so I will know about it. Probably.) I did say I was done here but I got curious to see if the problem was fixed. I do not think it will be so that answers that question.. I will leave things as they are because it amuses me. :-)

Again merry holidays to everyone and good luck with everything
(and sorry to the account-owner of this account, I mean no harm),
Anthony

[helvetica]

If you don't mind please get in contact with me with information on the exploit. I'm on vacation for winter break so I really don't have much time to dig and in my cursory examinations I can't quite see what you're triggering that allows you to bypass the password verification (although I have disabled all the legacy hashing routines just in case). I suspect it might be a flaw with how SMF treats pgsql and case insensitivity, but I don't have enough data to really determine how you're doing what you're doing.

As for this "anime board" I take security very seriously. I'm just also busy obtaining a physics degree :b (and I'm the only actual admin here :[ ). I would have preferred if you had simply reported the exploit to me rather than brazenly abuse it but we can argue the ethics of responsible disclosure another time. I apologize for the commentary from the peanut gallery, I think you can agree most of us are tired of the "leet haxor" kind of false bravado that some of us tend to run into far more often than we like. You also have to admit your original post was pretty vulgar and I can understand why it wasn't necessarily taken as seriously as it seemed. I took it seriously, but I figured it was something that was already patched, and now you have my interest (and my attention) repeating said feat.

I personally enjoy a challenge and I respect people who can reverse/hack stuff (I'm a hobbyist reverse engineer as well, although my security skills are rusty to say the least). Life just doesn't give me the time to tinker and babysit this stuff as strongly as I used to :[