Welcome to the official Pokémon Forums!

Click here to review our official Rules & Guidelines.

SHELTINATOR2000: DO NOT OPEN THEIR THREADS

TheJeffers
TheJeffers Member Posts: 1,323 ✭✭✭✭✭
500 Agrees 1000 Comments 250 Likes 250 LOLs

This user claims to be some kind of security consultant testing the forum. Whether this is true or not, even viewing their posts can log you out of your account. The things they try in future could potentially have more adverse effects.

Even if their intent is benign, avoid opening their threads or viewing their posts, so that your account doesn't get deleted or something in their "tests".

Can the admins or mods confirm that this person is meant to be here doing what they are doing?

«1

Comments

  • puplover1118
    puplover1118 Member Posts: 531 ✭✭✭
    500 Comments 100 Agrees 5 Answers 25 LOLs

    For me, it only seems to be the "Just testing" discussion that logs me out.

  • TheJeffers
    TheJeffers Member Posts: 1,323 ✭✭✭✭✭
    500 Agrees 1000 Comments 250 Likes 250 LOLs

    For now.

    If this person is legitimately some white hat testing the forum security, they will not object to anyone contacting the mods to confirm this.

    If not, the sooner we draw attention to their activities and the more users we prevent from being adversely affected, the better.

  • Flametix
    Flametix Member Posts: 556 ✭✭✭
    500 Comments 100 Likes 100 LOLs 100 Agrees

    based on the title i thought this was going to be a return of the type of threads from last year

    https://www.pokemon.com/us/vulnerability-disclosure-program/

    also I like how under "issues not to report" in the vulnerability program link it mentions logout CSRF, so he probably won't even get a reward out of it even if he is legit. I don't know why this forum even lets you embed pages still, even though it seems to be limited to the forums themselves. i think the mods will get scared enough to do it if they get logged out but they should really just remove that feature.

  • TheJeffers
    TheJeffers Member Posts: 1,323 ✭✭✭✭✭
    500 Agrees 1000 Comments 250 Likes 250 LOLs

    It is entirely possible that this individual and their intentions are legitimate and benign. I am just warning people in case this escalates.

    If nothing else, opening a thread and being logged out of your account is annoying. I'd like to help people avoid that.

    Allowing users to make any kind of submission to your website immediately opens the door to a myriad of potential security risks. But there is no other way to operate a forum. You have to allow users to submit inputs to your site in some capacity.

    However, this forum does seem to leave the door open to a range of bizarre functions while limiting other functionality for no apparent reason.

    My suspicion is that this forum uses generic software on the front and back-end, and certain functionality has either been left on by default or turned on by mistake.

    Meanwhile other needed features (such as an edit or delete button) remain unavailable, perhaps because the generic software does not offer that functionality or it does not function in line with the requirements or desires of the admins.

    Why they do not create some custom functions to handle it is hard to say. But I would speculate that the admins do not have permission to edit it (either due to TPC mandates or the software provider's own licensing restrictions) or more worryingly, may not have people with the requisite skills to implement it.

    But I doubt anyone on the adin or moderation teams will give us clear answers in any case.

  • clasingla
    clasingla Member Posts: 3,117 ✭✭✭✭✭
    2500 Comments 500 Agrees 250 Likes 50 Answers

    @TheJeffers it seems like @SHELTINATOR2000 was banned

  • SuperSkyShaymin
    SuperSkyShaymin Member Posts: 75 ✭✭
    10 Comments 5 Agrees Name Dropper Photogenic

    Maybe change your account passwords, it's possible they were able to compromise accounts with an exploit

  • TheJeffers
    TheJeffers Member Posts: 1,323 ✭✭✭✭✭
    500 Agrees 1000 Comments 250 Likes 250 LOLs

    @clasingla Unsurprising.

    @SuperSkyShaymin A good idea to change your passwords regularly in general. The longer a password has been in use, the longer it has been available to be compromised.

    Remember to use longer, complex passwords with a mix of upper and lower case, numbers and punctuation if you can.

    And don't use the same password on multiple websites. Your e-mail address especially, since that is the one weak link for multiple accounts.

  • Flametix
    Flametix Member Posts: 556 ✭✭✭
    500 Comments 100 Likes 100 LOLs 100 Agrees

    The "exploit" is just embedding a frame of the logout url, which doesn't require authentication. It's so common it is listed as a non-issue on the vulnerabilities page as I pointed out.

  • Pokemaster9293
    Pokemaster9293 Member Posts: 759 ✭✭✭
    500 Comments 25 LOLs 25 Likes 25 Agrees

    @clasingla yea he is banned

  • Pokemaster9293
    Pokemaster9293 Member Posts: 759 ✭✭✭
    500 Comments 25 LOLs 25 Likes 25 Agrees

    last seen; Jun 25, 2024 3:59 am