Lingering 2.8.4 Password Vulnerability (sorta) (1 post)

  1. nickel
    Posted 6 years ago #

    Hey all,

    I upgraded all of my sites to 2.8.4 awhile back, and this was supposed to solve the password vulnerability problem. Here's the thing...

    This morning I awoke to find a notification from one of my sites that someone had requested a password reset. That was immediately followed by an e-mail saying that the password had been reset, though it didn't actually include a new password.

    Curious, I logged in (I typed the url directly, didn't follow the link in the e-mail) and found that my original password still works. Once I was logged in, however, I was greeted by a message saying that I was using an auto-generated password, and asking if I wanted to change it.

    Has anyone seen anything like this?


    A few notes:
    - The e-mail address and domain have nothing in common, so this doesn't appear to be a case of social engineering
    - The link included in the original e-mail is legit (I viewed the source)
    - I ended up resetting the password myself and all of the e-mails looked identical to what I originally received

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.