Last night I was made aware of a glaring problem with TNH site security by a helpful site member, Drew Butler (thanks Drew!).
It turns out in a code update I made around New Year I had left in some testing code that bypassed password security, meaning that you could login as any user using any password.
I fixed the problem last night and logged out all users as a precaution.
There were two basic classes of exploit associated with this issue:
1) Write – post as another user. I haven’t seen any instances of this, but please let us know if you think it may have happened
2) Read – a malicious user could access another’s account to read their private messages.
Additionally, a malicious user could change their victim’s password. This appears to have happened on at least one occasion. If this has happened to you please let us know, and reset your password through the password reset function.
This is obviously very embarrassing to me, and I apologize for any inconvenience that may have been caused. The irony that this occurred when I made a change to login to make your passwords more secure is not lost on me.
If you have any concerns about this or want more information, please post here or send mail to email@example.com