if you go to your admin cp, leave all of the form fields blank and hit 'login', it'll throw an error about an invalid secret pin. if you only type in the secret pin and hit 'login', it'll still tell you that you enter an invalid secret pin.
it seems that the error is defaulted to a message about an invalid secret pin. shouldn't that error be more ambiguous for security purposes like it is when you type in an incorrect username/password when trying to sign in to the front end?
"You have entered an invalid username/password combination."
mybb 1.8.4, clean install, no plugins.
if the secret pin is correct and the other fields are blank / incorrect then we get regular username / password incorrect message.
And yes, default error message is about secret pin and it needs to be changed.
Thank You Shemo for bringing this to notice. Developers will check & modify it as required.
(2015-04-14, 06:02 AM).m. Wrote: [ -> ]if the secret pin is correct and the other fields are blank / incorrect then we get regular username / password incorrect message.
And yes, default error message is about secret pin and it needs to be changed.
Thank You Shemo for bringing this to notice. Developers will check & modify it as required.
good catch. I've must of been entering the secret pin incorrectly when that was the only field filled out.
that said, I agree though that the error should be more ambiguous to not reveal what is and isn't right.
An empty pin is always wrong (if the value in the config.php is empty the fields isn't displayed at all). I don't see a reason why we should display another error message then.
(2015-06-27, 06:42 PM)Jones H Wrote: [ -> ]An empty pin is always wrong (if the value in the config.php is empty the fields isn't displayed at all). I don't see a reason why we should display another error message then.
I think by leaving what wasn't entered correctly a little more vague, it doesn't allow a hacker to hone in so easily.
As long as the PIN is incorrect it always shows the wrong PIN error - only if that is correct the Username/Password error is shown. Similar the Captcha is handled for the frontend. So as long as you don't know the PIN (or enter the captcha correctly) you can't brute force the Username/Password fields. While we could display the same error message for both errors I honestly doubt that'll make that much of a difference - and it's not really user friendly anymore. IMHO that's a change that shouldn't be in the core. If you really want to have the same error message you can simply change both language strings.
PS: If we would want to show the same error message we'd also need to change the email/username selection as there are 3 different language strings (only username login, only email login or both).
(2015-06-27, 08:01 PM)Jones H Wrote: [ -> ]As long as the PIN is incorrect it always shows the wrong PIN error - only if that is correct the Username/Password error is shown. Similar the Captcha is handled for the frontend. So as long as you don't know the PIN (or enter the captcha correctly) you can't brute force the Username/Password fields. While we could display the same error message for both errors I honestly doubt that'll make that much of a difference - and it's not really user friendly anymore. IMHO that's a change that shouldn't be in the core. If you really want to have the same error message you can simply change both language strings.
PS: If we would want to show the same error message we'd also need to change the email/username selection as there are 3 different language strings (only username login, only email login or both).
I don't know if you're misunderstanding me or if I'm not understanding you. most login forms today do not tell you what is/isn't correct - they leave this vague so an attacker doesn't focus their efforts on the part they got wrong. I feel mybb should carry on with this practice, especially with the most important login form on the entire site.
Probably correct. Should the same apply to the 2FA page?
I agree with the suggestion, however the PIN is not being checked in the front-end, which would allow to determine the correct username/e-mail & password combination nonetheless.
(2015-07-06, 08:30 AM)Omar G. Wrote: [ -> ]Should the same apply to the 2FA page?
What do you mean?
If the 2FA was incorrect it shouldn't tell so either. Not worth it but for consistency.