Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 01 Apr 2016, 03:21
WillyWonkaBar WillyWonkaBar is offline
 
Join Date: Aug 2011
Exploit related to forced password reset email?

We had about 30 users write in today that they received password reset email notifications, but didn't request them.

Is anybody aware of an exploit that might make use of this? We did block a connection that appears to have been either scraping the site, looking for a user list to possibly perform these password resets, or doing something else nefarious.

We did have an issue with the mail queue growing quite large, larger than what our mail queue batch setting could keep up with.

I'm betting the mail queue issue is related to these password reset email notifications going out. I've reviewed the notifications received, and they look correct. No bad URLs or missing usernames.

Has anybody experiencing something similar to this?

Thanks!

WWB
Reply With Quote
  #2  
Old 01 Apr 2016, 07:26
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
Anyone can request those emails to be sent from login.php?do=lostpw.
Or is that not what you're talking about?
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #3  
Old 01 Apr 2016, 17:04
WillyWonkaBar WillyWonkaBar is offline
 
Join Date: Aug 2011
No, you're correct. We have that page. But you need to specify an email address and complete recaptcha v2.

These users did not request the password reset. So somebody else did.

So that somebody would have to know the email addresses, correct? Maybe a bot guessing email addresses, or using their own list against our website?

Again, I'm more trying to determine that if it was somebody with malicious intent, what could they gain going this route. It only makes sense to me if they have access to the email account in question, and then even in that scenario, they'd have to figure out admin account email addresses. Again, if they're after access.

There's also the possibility that this was a DOS attack, or attack on VB's mail queue. Our mail queue, around the same time these support requests came in, swelled to 7000 msgs, which the mail queue process scheduled task couldn't keep up with based on our settings.

Or maybe this was just a site scraper.
Reply With Quote
  #4  
Old 01 Apr 2016, 17:26
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
I doubt it will do any harm besides filling up your mail queue. There's not a whole lot to do against it since it's just a public page.

Have you checked the access logs for GET/POST requests sent to login.php?do=lostpw? Maybe you can get some more information regarding who did it by looking at the access logs.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #5  
Old 01 Apr 2016, 17:47
WillyWonkaBar WillyWonkaBar is offline
 
Join Date: Aug 2011
Thanks for the suggestion, Dave. I check the logs and report back.
Reply With Quote
Reply


Tags
exploit, hack, scraper


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 10:03.

Layout Options | Width: Wide Color: