MAKE MCMARKET SAFE AGAIN

[Will Greenberg]

So basically my good friend leontss1's account was hacked, so we planned to troll the hacker.. Which didn't go so well... So Basically I recorded it all etc.
From what it looks like, these hackers have been in many peoples accounts.. (including leontss1's business account) Anyways, I feel like you guys need to fix some stuff... A lot of stuff..


Video of it going down (may be processing still)

 

[Will Greenberg]

Aint nobody got time for that, but since its apparently relevant, I just scanned it. Got as far as the "She gave you your friend's password". Basically meaning that someone's password has been leaked. Due to the level of security Xenforo has, I doubt this was on the side of MCM. It was on the side of the user. Watching more to see the actual reasons.

Alright, well if this post was "irrevivant I just want everyone to secure there mc-m accounts then.

 

[MisfitNerd]

That may be true, but why would he hack a members account..

Again, to look cool. Think about why people swat someone. It gains them nothing. It's pure enjoyment for fucked up people who have nothing better to do with their lives but hack others.

 

[Ivain]

I just scanned through most of the video and I still dont see what your point is. Instead of having people guess at the "issues", how about you spell them out and save everyone a lot of time and effort? you're the one that wants change, you make the effort of spelling out what's wrong AND how you think it should be fixed.

And nothing in that video has so far convinced me that this is not a user-side problem, but then again I did not watch it second for second.

 

[MisfitNerd]

Alright, well if this post was "irrevivant I just want everyone to secure there mc-m accounts then.

We have the means to secure ourselves already. Don't use simple passwords, use different passwords between MCM and it's connected email account, and enable 2FA with your email and phone. Beyond that it's pretty tough to get hacked.

 

[Ivain]

Alright, well if this post was "irrevivant I just want everyone to secure there mc-m accounts then.

That's something that's been advised for ages, but there's gonna be people that are stubborn. There always are.[DOUBLEPOST=1496000131][/DOUBLEPOST]

We have the means to secure ourselves already. Don't use simple passwords, use different passwords between MCM and it's connected email account, and enable 2FA with your email and phone. Beyond that it's pretty tough to get hacked.

Better yet, use a password manager, allowing you to use fully randomized passwords, then use a single master password that you learn from the top of your head similar to how you memorize a phone number. Password managers work because people will rarely be trying to hack your accounts/systems from your own PC, which is where the password manager is centralized. They'll try to get it from leaked databases or brute-force it or simply write a script to guess it from commonly used passwords.
Some archaic sites dont allow copy-pasting of passwords, which is stupid, but the majority do.
For more arguments, try this guy's article: https://www.troyhunt.com/password-m...y-just-have-to-be-better-than-not-having-one/

 

[kojoti]

Jep, My developer already searched for exploits on mc-market and he founds 3-5 exploits :| But no one is listening to it #NoOneCaresBecauseTheSiteIsRunning :/

 

[Madbegger]

Jep, My developer already searched for some exploits in this site there are like 3-5 open :/ But no one is listening to it

Like said above, either information needs to be reported or it's pointless. Considering it's a forum-based marketplace it'll be maintained well through constant updating and bug fixes/patches. From my experience there's been quite a few people to say there's exploits/vulnerabilities while none exist/are possible (not saying that's the case however it doesn't seem to plausible especially saying "3-5" when it's supposed to be a solid amount).

Anyway most of the time an account been compromised is down to poor security on the user's half. There are a range of methods/measures that can be used here and with other software/websites to prevent an account/email from been compromised. On here there's 2FA which can be used which if done with a good (non-shared) password following the usual recommendations will prevent a lot. A lot of methods for here and elsewhere have also been discussed above will also prevent a majority of issues however you do really need to also be careful of what you download/use since it can cause it as well. Either way the above isn't really a suggestion for a change that can be made by Mick or the other staff but only by the user's at risk. All that can be done at the end of the day is providing information to users for them to improve their account's security.

 

[matthewp]

Almost all account hackings are on the user's behalf. Legit I have LastPass for almost everything except accounts I don't care about. I have 30+ character long passwords and 2fa for most of my accounts on sites. Like if your friend got hacked that easily I am guessing he had no 2fa, and had a shitty password.

I don't understand why this is a suggestion..

 

[Doge]

We can't really prevent people from reusing passwords or enabling 2-step verification on MCM. If he hadn't reused passwords, his account wouldn't have been compromised and if he used 2-step, his account wouldn't have been compromised even if he did reuse passwords.

 

[Wvisoecj]

Jep, My developer already searched for exploits on mc-market and he founds 3-5 exploits :| But no one is listening to it #NoOneCaresBecauseTheSiteIsRunning :/

Congrats your "developer" found a couple CSS faults. You kids are forgetting MCM didnt make this forum, XenForo did. Basic security is not hard to implement and XF already does a good job of it. If you think there's a security vulnerability in the forum go to XenForo because chances are MCM can't do anything about it.

 

[thebaum64]

It is not our fault his account was compromised, he either had a weak password or was keylogged or had a rat. That is nothing we can control. We have an option for 2FA and clearly he chose not to use it. That is his fault, no one else's.

 

[lAkjtzAZ0]

wait wait wait, you're telling the staff of mcm to fix other people's neglect and stupidity? There's a reason 2fa was forced a while back and is a very valid and secure option for not getting "hacked". If you get hacked WITH 2fa on you're either really, really stupid or the "hackers" are tOp kEk ciA pRo hACkErS. Seriously, it's not hard to secure your account. Being smart and not reusing passwords, use GOOD passwords, etc.. takes a few minutes more of your time and will decrease the chance of your account being compromised.

 

[Mr_DagALkeef_B7]

It should get https again. +1

 

[matthewp]

It should get https again. +1

HTTPS doesn't do much and will only do so much. Also https does work, it just shows up like this.

 

[Wvisoecj]

HTTPS doesn't do much and will only do so much. Also https does work, it just shows up like this.

HTTPS allows me to not send my password over plaintext. MCM should fix their HTTPS issues so we can use it. That's not a valid excuse.

 

[matthewp]

HTTPS allows me to not send my password over plaintext. MCM should fix their HTTPS issues so we can use it. That's not a valid excuse.

Yum, plaintext passwords. Either way people should know it isn't on HTTPS and use a unique password and 2fa.

 

[Wvisoecj]

Yum, plaintext passwords. Either way people should know it isn't on HTTPS and use a unique password and 2fa.

Still not an excuse to not use HTTPS. It's not about using unique passwords but more about people know your password or any password you change to in the first place. The new web offers so many free resources to get started with HTTPS but MCM doesn't take the time to fix the issues they have to migrate over to HTTPS.

 

[Keystirras]

I mean don't get me wrong, I think all websites should have an SSL Certificate to help with security, even if its through LetsEncrypt but I agree with Ivain it is probably user side. I normally reuse my passwords for multiple sites, and I haven't been hacked on here.

 

[buildblox]

Still not an excuse to not use HTTPS. It's not about using unique passwords but more about people know your password or any password you change to in the first place. The new web offers so many free resources to get started with HTTPS but MCM doesn't take the time to fix the issues they have to migrate over to HTTPS.

HTTPS was disabled for a variety of reasons, primarily because of something BeBosny read on TAZ about it decreasing AdSense revenue.

While I do agree that the whole money > security thing doesn't really add up, please do keep in mind that Xenforo hashes and salts all passwords transferred through the system. No HTTPS isn't as big of a security flaw as is, say, the dozens of experimental addons that have countless unknown bugs.

You all claim that the MCM administrators are entirely pardoned of potential security flaws just because it's running on Xenforo, a third-party CMS, but you're dead wrong. The creation of said experimental addons could just as easily create security flaws in the system. For example, the addition of the business account addon introduced a highly complex feature that had to do with sensitive account details. While I'm not saying it happened, very devastating security bugs could possibly exist in the system. Our old support addon, Tickets by NixFifty, proved to be an extremely buggy addon. Who says any of our custom developed addons aren't the same?

 

[Ivain]

HTTPS was disabled for a variety of reasons, primarily because of something BeBosny read on TAZ about it decreasing AdSense revenue.

While I do agree that the whole money > security thing doesn't really add up, please do keep in mind that Xenforo hashes and salts all passwords transferred through the system. No HTTPS isn't as big of a security flaw as is, say, the dozens of experimental addons that have countless unknown bugs.

You all claim that the MCM administrators are entirely pardoned of potential security flaws just because it's running on Xenforo, a third-party CMS, but you're dead wrong. The creation of said experimental addons could just as easily create security flaws in the system. For example, the addition of the business account addon introduced a highly complex feature that had to do with sensitive account details. While I'm not saying it happened, very devastating security bugs could possibly exist in the system. Our old support addon, Tickets by NixFifty, proved to be an extremely buggy addon. Who says any of our custom developed addons aren't the same?

It's definitely the case that admins can fuck up. However, unlike in most situations, they'd have to have actively fucked shit up for it to go wrong. On most sites and forum systems (enjin for sure) you have to actively secure it, or it'll go wrong.

Anyway, if the site had its entire password database leaked in plain text or even basic encryption, users could still be safe having 2FA enabled for any new IPs trying to log in. Unless they've been using a VPN service with a bunch of common IP's and the 'hackers' know which ones, you'd need to have access to their email or phone to get into the account.

so while the ultimate responsibility in such a case lies with the admins, the users have been given the tools to secure their account even in the face of such a failure, and they chose not to use them. THAT is THEIR choice, and therefore THEIR responsibility.