Hi - I have found a few unexplained users of my password protected forum, who appear to be activated, even though I did not activate them, and there are no other administrators who could have
These users all have yahoo or gmail email accounts, bot-like usernames and none have completed the compulsory custom user profile fields that human sign-ups must fill in before they can submit their application, so they appear not to have signed up in the normal way.
All seem to have registered themselves between March 2014 - March 2015.
So far none appear to have posted anything, and I have banned them all, but am concerned at this apparent vulnerability.
I have the TapaTalk plugin installed - am not a user myself, but wondering if this plugin is known to provide access to forum bots ? Perhaps by failing to enforce custom user profile fields on signup, or failing to enforce the administrator activation requirement?
What should I do from here?
I guess the first thing to do would be to try and sign up via TapaTalk and see if it lets you sign up without entering the fields you require? There's every chance whatever API is uses doesn't check some things properly.
Thanks Matt.
With their latest plugin version Tapatalk claims they 'supports all custom and required fields' - though this doesn't seem to be happening.
I think I found the main problem though: in some update or other (presuming around March 2014), TapaTalk seems to have added a new option to auto approve TapaTalk signups, and set this to 'on' by default. I have now turned it off. Another default was assigning new users to an already approved user-group, rather than 'awaiting activation'.
I have contacted TapaTalk support - whatever else they change, they should not subvert the registration process by stealth in favor of their own platform - especially given they seem to claim an ability to detect web based registration requirements
ArchPrime - I encountered this on another board; if you go back into the settings group re on by default it may not have changed. Just an FYI.
(2015-03-20, 01:45 PM)Leefish Wrote: [ -> ]ArchPrime - I encountered this on another board; if you go back into the settings group re on by default it may not have changed. Just an FYI.
Thanks LeeFish. You are right! I checked, and in my case the auto approve setting was now still showing as off after I changed it yesterday - but another setting change I made was reverted ; sign up via 'in app registration' (I.e. within TapaTalk) had been switched back on, and still keeps reverting every time I set it to 'redirect to URL' (I.e.sign up within the web based forum page). A serious flaw!
Yup, I did manage to force them into the awaiting activation group and that helped, but I was very annoyed by this from Tapatalk.
I dont use it because I have a responsive theme, but the members do prefer Tapatalk regardless if they are members of many more forums that also use Tapatalk.
I have this exact same issue.
Around 10 random "yahoo" accounts being registered daily.
They all have "random name"@yahoo Email addresses and the User Names are always random with neatly placed Upper Case characters at strategic spots (IE: Email address would be "
[email protected]" and the user name would be "RaymundoAh").
I don't have any "questionable" plugins and have tightened requirements for posting and signatures.
Security question and capta are in place.
None of them ever post anything.
It's doing my freaking head in!
EDIT:
I have verified some of the random Email addresses and they just bounce back as undeliverable.
ANOTHER EDIT:
Doing a Google search on the above-mentioned "non-existant" Email address reveals ALL kinds of Protein, Abs and foreign language stuff that is all marketing stuff.