 |
By (user no longer on site) OP
over a year ago
|
Plenty of Fish was "hacked" this week, so change your password to something else, and also of course never use the same password for any site!
Does fab store passwords and other details in plain text?
Anyhow pof made the numpty mistake of not using parametrised sql command builder, so you could do the "little bobby tables" exploit on them!
cheers! |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *harpDressed ManMan
over a year ago
Here occasionally, but mostly somewhere else |
"
Anyhow pof made the numpty mistake of not using parametrised sql command builder, so you could do the "little bobby tables" exploit on them!
"
We're lucky that you're here to explain that.
I'm sure we can all learn from this. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"
not using parametrised sql command builder, so you could do the "little bobby tables" exploit on them!
cheers!"
Yeah,I was thinking the exact same thing   |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
Heh, sorry!
Basically SQL is the "language" you talk to the database in. so:
SELECT UserName FROM users
gets all the users names from the users table. With me so far?
Well you can add filters on so you only find what you are after:
SELECT UserName FROM users WHERE Age18 AND Age40 AND Gender=Female
and so on.
But those filters come from what the user picks and/or settings and so if you are not careful and do your back end programming properly, clever users can change these parameters so that 18 could become:
'; SELECT Password FROM users;'
Which in the case of pof resulted in the password been returned for all users.
It's known as an SQL injection exploit. Scarily common on many sites.
Anyhow as a rule of thumb I never use my exact dob or postcode on any site just in case. For the extra paranoid you could set up different hotmail accounts!  |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"so as a result of this hacking, do you think i'll get more emails fromh ot, single guys then? i wouldnt see a downside if that happened "
Well if you moved closer to me, I'd message you every day |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
I too wondered why i had to change the password which i've been using for a while, and naughtily i do tend to use the same or variations of it on other sites. 
Thanks for the explanation. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"It would seem many POF members are on here too.....do you swing on both sites or date and swing separately? "
I just keep a look out for single women in my area. I think they are all hiding on wehatesinglemenandarelesbians.com
|
Reply privately, Reply in forum +quote
or View forums list | |
"Heh, sorry!
Basically SQL is the "language" you talk to the database in. so:
SELECT UserName FROM users
gets all the users names from the users table. With me so far?
Well you can add filters on so you only find what you are after:
SELECT UserName FROM users WHERE Age18 AND Age40 AND Gender=Female
and so on.
But those filters come from what the user picks and/or settings and so if you are not careful and do your back end programming properly, clever users can change these parameters so that 18 could become:
'; SELECT Password FROM users;'
Which in the case of pof resulted in the password been returned for all users.
It's known as an SQL injection exploit. Scarily common on many sites.
Anyhow as a rule of thumb I never use my exact dob or postcode on any site just in case. For the extra paranoid you could set up different hotmail accounts! "
You missed the * from Users, mate.  |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"
You missed the * from Users, mate.
...And a fair amount of irony..."
Irony, I just wear my clothes creased instead!
as for the "* from", the exploit only works for a single specified field! (search youtube and you'll find a vid of the exploit - which is now fixed btw) |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
Nah, the log in page is just there to make you change your password, but the system will still authenticate against the old password.
Do change it though as I *hope* it means the new passwords are encrypted... |
Reply privately, Reply in forum +quote
or View forums list | |
I can't believe that in this day and age, a massive site like PoF would be sending out regular weekly e-mails with a password in plain text. It really beggars belief that the security was so lapse.
The guy who runs it sounds like a bit of a nutter as well
Hopefully this will have given them a kick up the backside and to hire a security expert who knows what they're doing |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"It would seem many POF members are on here too.....do you swing on both sites or date and swing separately? "
i just try and get as much sex as possible, dont care which site is comes from |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"I can't believe that in this day and age, a massive site like PoF would be sending out regular weekly e-mails with a password in plain text. It really beggars belief that the security was so lapse.
The guy who runs it sounds like a bit of a nutter as well
Hopefully this will have given them a kick up the backside and to hire a security expert who knows what they're doing"
You'd be amazed at what I have seen sites store in their database (big and small). Many store critical data in plain text (passwords, home phone numbers and the like). One even stored credit card details and the CVV (3 digit security code) in plain text. We promptly deleted all that data then informed them about breaching several PCI guidelines/rules!
|
Reply privately, Reply in forum +quote
or View forums list | |
|
By *edhotminxWoman
over a year ago
Turn left at the Singing Ringing Tree |
"The guy who runs it sounds like a bit of a nutter as well"
I read an article about the man who set up POF on the internet, a very interesting read. He's allegedly nicknamed his own site 'Plenty of Losers'.
|
Reply privately, Reply in forum +quote
or View forums list | |
» Add a new message to this topic
xkcd rawks 