**11/16/2019 Attention GolfWRX community. If you had to rest your forum password, please see info**

*** 11/16/2019 Attention GolfWRX community. If you had to reset your forum password, please see info below. ***

GolfWRX was informed of a potential issue and in an effort to be proactive, Passwords were reset to users potentially effected. If you were among these users please use the forget password recovery link:

https://forums.golfwrx.com/entry/passwordrequest

Please email [email protected] if further help is required. We're sorry for any inconvenience.

Thanks for letting us know. This appears to be affecting several forums and you're the first one I visit to have actually given out an explanation.

Quick action and thanks for letting us know. No problem, ended up with a stronger password.

Thanks

My profile has totally changed. Is this being addressed as well?

> @edjhahn said:

> Thanks

>

> My profile has totally changed. Is this being addressed as well?

This has no relation to profile issues and please provide info on missing posts in another thread.

Golfwrx, providing great communication per usual. Thank you all!

I had to reset my password, but I just reset it to my original.

So where do I change my password? It was reset but can't see where to change it.

Never mind. Found it in the edit profile section.

What was the commonality in the group that required the reset? Was the integrity of the site compromised?

From Vanilla,

Here is the report.

https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

Essentially, on Monday, November 11th, we released our 2019.016 patch. This patch included a vulnerability in our Quotes feature.

When users were quoted, their user data was output to the browser. This was not visible to the eye but , it could be accessed by:

Inspecting the network requests while quoting some user content.

Calling the /api/v2/media/scrape endpoint directly (with permission to view the scraped discussion or comment).

Inspecting the HTML of rich comment or discussion quotes.

Our users are asking if their passwords were compromised?

All users were at risk of being compromised, but only password hashes could have been leaked, as Vanilla does not store clear text passwords. We store salted and hashed passwords using BCRYPT with a cost of 10. The practical result of this is that any possibly leaked password hashes are not immediately usable for an attacker - they do not have your password, but rather a hash derived from your password. However, over time due to techniques such as Rainbow Tables (generating a list of hashes to compare with our hashes, a brute force approach) there is a risk of some passwords being recoverable, and hence the password reset. Doing a password reset is best industry practise even when possibly leaked credentials are hashed using a secure function such as BCRYPT.

So, for example, let's say I inspected the page, and looked at a Quote, I could look through the code and find a full user record - email, username, hashed password and more. This full record is generally not visible to the public and is guarded by various permission checks through Vanilla's controllers and API endpoints. We immediately patched a bug in our sanitization logic. Once the patch was in place, we forced all users to log out and forced a reset of all passwords as a preventative measure.

Was the entire community passwords reset?

Yes, all accounts were forced to reset their passwords; however, users who only login with Facebook or Twitter may not have had to reset their passwords, as those passwords are not stored in Vanilla.

Let me know if you have any further questions.

Thanks GX. Appreciate you sharing that.

> @Gxgolfer said:

> From Vanilla,

>

> Here is the report.

> https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

>

> Essentially, on Monday, November 11th, we released our 2019.016 patch. This patch included a vulnerability in our Quotes feature.

>

> When users were quoted, their user data was output to the browser. This was not visible to the eye but , it could be accessed by:

> Inspecting the network requests while quoting some user content.

> Calling the /api/v2/media/scrape endpoint directly (with permission to view the scraped discussion or comment).

> Inspecting the HTML of rich comment or discussion quotes.

>

>

> Our users are asking if their passwords were compromised?

>

> All users were at risk of being compromised, but only password hashes could have been leaked, as Vanilla does not store clear text passwords. We store salted and hashed passwords using BCRYPT with a cost of 10. The practical result of this is that any possibly leaked password hashes are not immediately usable for an attacker - they do not have your password, but rather a hash derived from your password. However, over time due to techniques such as Rainbow Tables (generating a list of hashes to compare with our hashes, a brute force approach) there is a risk of some passwords being recoverable, and hence the password reset. Doing a password reset is best industry practise even when possibly leaked credentials are hashed using a secure function such as BCRYPT.

>

> So, for example, let's say I inspected the page, and looked at a Quote, I could look through the code and find a full user record - email, username, hashed password and more. This full record is generally not visible to the public and is guarded by various permission checks through Vanilla's controllers and API endpoints. We immediately patched a bug in our sanitization logic. Once the patch was in place, we forced all users to log out and forced a reset of all passwords as a preventative measure.

>

> Was the entire community passwords reset?

>

> Yes, all accounts were forced to reset their passwords; however, users who only login with Facebook or Twitter may not have had to reset their passwords, as those passwords are not stored in Vanilla.

>

> Let me know if you have any further questions.

you should modify the logic for password reset to prevent people from providing the same password during the update.

So is GolfWRX also going to let the the users now know the original passwords have been compromised? ...and that they should reset all the accounts they used the same password for also? I see one guy here in this thread already point out his stupidity by boasting about how he actually changed the password to match his old password.. Seems like the point of changing the password was bit lost for him..

> @Hedgehog said:

> So is GolfWRX also going to let the the users now know the original passwords have been compromised? ...and that they should reset all the accounts they used the same password for also? I see one guy here in this thread already point out his stupidity by boasting about how he actually changed the password to match his old password.. Seems like the point of changing the password was bit lost for him..

this is so common i wouldn't call someone who did this stupid. many people use the exact same email + password combo for multiple accounts. they just don't realize how unwise of a practice that is. devs and product folks are in a good position to not only prevent people from using the same password but also making better security decisions. a little logic and some help text could go a long way toward this end. spreading the word about (e.g.) password managers would be even better.

So, I changed my password, have to reset it every time I try to login, have lost all my history.

Hey, I got my history back! Yay ....

Is this at all in relation to posts disappearing? I've made countless that have been deleted in the past months since the move of forum styles.

Thx for sharing.

We had a briefing with Vanilla

GolfWRX was not one of the customers that was effected by the vulnerable code as we did not use the Rich editor at the time.

Logs were reviewed by Vanilla and they have confirmed no exposure.

All good stuff, thanks Gxgolfer!

P.S. Is anyone else's password as tired as mine?

I wasn't sure if the issue was legitimate so changed all of my various passwords to a more robust password.

Mine was way tired...years tired