PistonHeads Forum not secure - change your passwords!
Discussion
Here's hoping I don't get an instant ban...I'd ask for Mod from our Community to leave this thread in the Lounge so it doesn't get ignored by the majority of the Community. I guess PH/Haymarket employees might feel differently.
For those who use Google Chrome to browse the internet and these forums you might notice in the coming week or so a pop-up appearing as shown in this thread:
http://www.pistonheads.com/gassing/topic.asp?h=0&a...
This will highlight an issue that PH/Haymarket have been aware of for well over a year and have made no progress on fixing it as highlighted in this thread:
http://www.pistonheads.com/gassing/topic.asp?h=0&a...
The short version is that these forums are not secure, especially if you ever login to this site via a public WiFi connection and login using an email address
I beg all users to please change their PH password to a unique one that you don't use for any other online accounts, especially online banking.
I know we are often told to use separate passwords for every online account but most people (myself included) ignore this advice from time to time. The problem is that PH is so unsecure in comparison to most other website you might login to that you can be vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to your PH account and in-turn your email and other online accounts if you use the same or similar passwords.
Please make sure your PH password is unique to PH so your chances of being hacked are reduced
For those who use Google Chrome to browse the internet and these forums you might notice in the coming week or so a pop-up appearing as shown in this thread:
http://www.pistonheads.com/gassing/topic.asp?h=0&a...
This will highlight an issue that PH/Haymarket have been aware of for well over a year and have made no progress on fixing it as highlighted in this thread:
http://www.pistonheads.com/gassing/topic.asp?h=0&a...
The short version is that these forums are not secure, especially if you ever login to this site via a public WiFi connection and login using an email address
I beg all users to please change their PH password to a unique one that you don't use for any other online accounts, especially online banking.
I know we are often told to use separate passwords for every online account but most people (myself included) ignore this advice from time to time. The problem is that PH is so unsecure in comparison to most other website you might login to that you can be vulnerable to man-in-the-middle and eavesdropping attacks, which can let attackers gain access to your PH account and in-turn your email and other online accounts if you use the same or similar passwords.
Please make sure your PH password is unique to PH so your chances of being hacked are reduced
GreigM said:
Agreed - people need to treat their PH account as a throw-away. Use a unique email address as well so as not to link it to any other accounts.
Not a bad idea using a throwaway email address!PH/Haymarket has left the average user completely in the dark regarding the severity of this issue.
Can't see why you'd get a ban for that or for the thread to be deleted - all you have done is highlight a glaring vulnerability to a wider audience than would probably be normal if it was contained to Website Feedback.
In truth, it's something that PH should thanking you for in the absence of it being highlighted to their user base via an email update.
Will be interesting to see what happens to you and this thread.....
In truth, it's something that PH should thanking you for in the absence of it being highlighted to their user base via an email update.
Will be interesting to see what happens to you and this thread.....
Edited by pincher on Wednesday 25th January 13:22
thole of a town)?pincher said:
Can't see why you'd get a ban for that or for the thread to be deleted - all you have done is highlight a glaring vulnerability to a wider audience than would probably be normal if it was contained to Website Feedback.
In truth, it's something that PH should be highlighting to their user base themselves by a mass email update.
Will be interesting to see what happens......
In the other thread, posts were deleted which demonstrated how easy it was to obtain password information. The information and methods they described are not some 0-Day exploit but common tools that many use, from security professionals and auditors right through to black-hat hackers.In truth, it's something that PH should be highlighting to their user base themselves by a mass email update.
Will be interesting to see what happens......
That they are already willing to delete posts demonstrating the vulnerability suggests it wouldn't take a great leap to delete posts highlighting it too
Tonsko said:
Thing is, if you changed your passwords, they would still be in the clear.. .you'd have to use a new password every time you connected to the forum!
Correct... but if you use the same password on PH as you do for all your other online activity this becomes a problem.... hence the suggestion to use a separate PH password.
Somebody is going to get really busy in 3...2...1... 
AndrewEH1 said:
Ace-T said:
Anyone know how to change their email addy? It is greyed out on my account details and won't let me change it.
You'll need to contact PH directly to do that. As a longer-term user I don't have to pay for an advert if I list something - do those that do have to pay get taken to a secure payment page or is that done through unsecured pages as well?
motco said:
Ace-T said:
Anyone know how to change their email addy? It is greyed out on my account details and won't let me change it.
I cannot change mine either
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff