Users account can easily be hacked ?

zahid wadiwale Posted in Technical Support 7 years ago

A important message to osssn team. User accounts can easily be hacked in ossn since hackers can easily get their usernames by clicking on their profile in url username of user is displayed . This can make hackers work more easy. I request ossn core team to fix this issue quickly. Also their is an advice for ossn team that they can simply make a component of login with email instead of username to fix this issue temporary. Also I request you if possible you can hire a ethical hacker to I increase security ossn platform.
Regards from me to ossn team

Replies
ph TheDoggyBrad Software Lab Replied 2 years ago

@zahid wadiwale Yes, I agree to you but this is not an actually vulnerability. This us just a Step 1 for a hacker meaning if the username has been inputted and let's say a super weak password has been guessed by the hacker then there is a small possibility that hacking can happen. This is just hypothetical and more likely that it will not happen. But some popular social media platforms does not allow the use of usernames for login (but I prefer not to mention a name/brand)

By the way, I have made a component (based on the OSSN Core code and Arsalan's discontinued component) to only allow logins using the email address only, thus making the username unusable for login.

You can have a try here: https://www.opensource-socialnetwork.org/component/view/6579/strict-email-login

gb Rishi B Replied 7 years ago

lol @ easily hacked.

gb Kevin B Replied 7 years ago

that's a good reply, thank you Matthew.

us Matthew Sweet Replied 7 years ago

Zahid,

I can get your username by clicking on your profile in Facebook. Does that make your account any easier to hack? Same goes for Google+, Twitter, Instagram, MySpace, et al.

The "difficulty" in hacking doesn't start at username discovery. Even if I had a username, I would still need access to the database table which stores the information, the algorithm used to hash passwords, the salt, and a number of other things the common desktop computer would take +years to break. A "hack" is by definition a term that indicates exploitation or altering of code.

Simply put, knowing someone's username != hack. It's conducive of nothing other than knowing the identifier someone chooses to go by. That's more of a concern left to user discretion and has nothing to do with OSSN.

I am an ethical hacker and red team analyst.

Indonesian Arsalan Shah Replied 7 years ago

This is a totally false and didn't result in any hack, this is not a issue.