SHELTINATOR2000: DO NOT OPEN THEIR THREADS
This user claims to be some kind of security consultant testing the forum. Whether this is true or not, even viewing their posts can log you out of your account. The things they try in future could potentially have more adverse effects.
Even if their intent is benign, avoid opening their threads or viewing their posts, so that your account doesn't get deleted or something in their "tests".
Can the admins or mods confirm that this person is meant to be here doing what they are doing?
Comments
-
For me, it only seems to be the "Just testing" discussion that logs me out.
1 -
For now.
If this person is legitimately some white hat testing the forum security, they will not object to anyone contacting the mods to confirm this.
If not, the sooner we draw attention to their activities and the more users we prevent from being adversely affected, the better.
1 -
based on the title i thought this was going to be a return of the type of threads from last year
https://www.pokemon.com/us/vulnerability-disclosure-program/
also I like how under "issues not to report" in the vulnerability program link it mentions logout CSRF, so he probably won't even get a reward out of it even if he is legit. I don't know why this forum even lets you embed pages still, even though it seems to be limited to the forums themselves. i think the mods will get scared enough to do it if they get logged out but they should really just remove that feature.
0 -
It is entirely possible that this individual and their intentions are legitimate and benign. I am just warning people in case this escalates.
If nothing else, opening a thread and being logged out of your account is annoying. I'd like to help people avoid that.
Allowing users to make any kind of submission to your website immediately opens the door to a myriad of potential security risks. But there is no other way to operate a forum. You have to allow users to submit inputs to your site in some capacity.
However, this forum does seem to leave the door open to a range of bizarre functions while limiting other functionality for no apparent reason.
My suspicion is that this forum uses generic software on the front and back-end, and certain functionality has either been left on by default or turned on by mistake.
Meanwhile other needed features (such as an edit or delete button) remain unavailable, perhaps because the generic software does not offer that functionality or it does not function in line with the requirements or desires of the admins.
Why they do not create some custom functions to handle it is hard to say. But I would speculate that the admins do not have permission to edit it (either due to TPC mandates or the software provider's own licensing restrictions) or more worryingly, may not have people with the requisite skills to implement it.
But I doubt anyone on the adin or moderation teams will give us clear answers in any case.
3 -
@TheJeffers it seems like @SHELTINATOR2000 was banned
0 -
Maybe change your account passwords, it's possible they were able to compromise accounts with an exploit
1 -
@clasingla Unsurprising.
@SuperSkyShaymin A good idea to change your passwords regularly in general. The longer a password has been in use, the longer it has been available to be compromised.
Remember to use longer, complex passwords with a mix of upper and lower case, numbers and punctuation if you can.
And don't use the same password on multiple websites. Your e-mail address especially, since that is the one weak link for multiple accounts.
2 -
@clasingla yea he is banned
0 -
last seen; Jun 25, 2024 3:59 am
0