Here is a security issue I just found..

While testing my site I came across this security issue which bascilly tells the hackers what they need to know to hack a profile...Maybe some of you haven't noticied this.....

When you click on someones profile and want to send them a message, their user login name is given. This is a major security issue. This was happening on profiles also, so what I did was create a "New Item" and namaed it "Display_Name" and inserted it on the pages like the profiles & join page, but I can't fix the issue on sending a message. I went to the compose.php because it's the page used to create the message, but I can't find what code to change to display the "Display_Names" block instead of username...checkout the image below,,if anyone can please post a fix for this, I'm sure it will help a lot of sites not get hacked....I think this simple security issue has been over seen...Thanks..

I'm confused.  Tell me again... how this is a major security issue???? 

Very simple, when you click on send message to someone, it gives you the actual log-in name for the person to their account. That's 50% of the battle won for the hackers...

So what?  My login name on this site is houstonlively.  Start hacking.

I'm confused too... almost every site I'm a member of has the member name the same as the login. Also, all the email sites have your login as your email.. where is the problem?

Well, I'm not a hacker so you win, but this really makes it easier for hackers since your log-in is given to them, whatever script they use to hack can crack your profile with the log-in username...That's why everysite says not to give your username to anyone...

Most of those sites have your display name not your actual log-in user name..example..If you have a my space account, your display name is not your login name, this is to prevent user log-in information for security measures...Have you noticed that everytime you set up an account at any site it asks for the following:

User name:

Display Name to the community:

They do that for security measures, your display name is not your account log-in name. The way this is set up, you are giving hackers your log-in to your account, all they have to do is crack your password which is easy cause they have your account log-in...

Tell you what micky.  I'll set up a myspace account and give you the password.  You can't have the login name though.  Even if you pasted that password on every hacker site on earth, they still would not be able to get into that account.

Your 'security issue', is a non-issue.

lol..Have you gone to "YouTube" and typed "HackMyspace" and have hackers show what they do and hack an account right in front of you??

Another question?. Who will hit the ball better, a baseball player who knows a fastball is coming or one that doesn't?

With all the security internet problems out there I really feel that displaying your actual log-in name is an issue. I for one take precautions before they happen, I already prevented the username from displaying on profiles and I'm trying to fix this as I see it a potencial way to give hackers easy access to information they shouldn't have. I mean, If I was a hacker and you gave me your actual account user-login name I would say "Thanks, now I can hack your profile or site quicker"..Anyhow, when I find a fix for this I'll post it on here for anyone who would like to take precaution from hackers...

OK, once you stop the user name from displaying, what are your members going to use for a screen name? 

Ok, I figured this part and then came across the e-mail issue and that's why I posted this, but to prevent this atleast from the profile do the following..

Go to Admin>Field Builder & Choose profile view, create a new_item and name it "Display_Name", insert the block into it and remove the block that says "NickName"..now insert that block into all other page like "Join Form, Edit Profile, View profile and any other page where the "NickName" Block was, but keep it in the "Join" field because it's needed, but also add the "display_Name"  Block.....What you are basicly doing is replacing the "Nickname" block with the Display_Name" Block. This will help not display the actual member Log-in information.....

Now, the issue I posted was that I couldn't modify this when someone wants to send a mail...The username field is still there.....

Here is an example of what I did, this will atleast not display your log-in on the profile, add the same block on other field like Join form so members can choose a display name..

Micky,

It is possible to at least "deemphazize" usernames in a Dolphin install.  I know, because I have done it.  I have to tell you though, it is a TON of work - there are probably a dozen or so mods you will have to do to make it work.  I did this because I am working on a business site where I want people to use their real names, and I am not a big believer in anonymous communication anyway.  I agree with Houston though - it is not a huge risk, and if you are just starting your site, you should concentrate on your "mission" - not on being overly paranoid about security.   The screen you have posted can only be seen by people who have already logged in.  How much energy do you think someone would spend to "crack" a member profile? - and what would they get if they did- mostly just the information that is public anyway, they wouldn't get any credit card numbers or anything like that.  Dolphin has enough real problems- lets not make up new ones.

-

Rob

Good point, you're correct, really the information they will be getting is not much and it's public anyways . I've been reading a lot on security issues with Dolphin and thought this might be a potencial issue to Dolphin users & the hacking problems I've been reading about...But yes, what will they get out of hacking a profile only? But on the other hand, you don't want your members telling you their profiles were hacked by a newbie hacker with nothing to do....Anyhow, Hopefully this thread will show other Dolphin users atleast how to prevent the actual log-in info being displayed on profile and help out a bit..

micky, just to clarify my position a bit...  Although I do not share your opinion that this is a security issue, I do like your idea of login credentials seperate from the displayed screen name.  I actually asked for this very thing in a blog post as a new feature for Dolphin 7, where I wanted to use the email address for a login, and a screen name that can have multiple words and spaces.... kinda like a real name.  It would be nice to be able to change ALL of your login info without affeting your screen name.

So, we agree that this should be a feature ..... just not for the same reasons.

Houston,  Did you know you can use the email address as a login right now?  I was on this forum for more than a year before I learned this - go ahead and try it - I was shocked when I found that this worked.   I also got "support for real names" as a feature they are going to build into D7 - it is on that list of things they are working on.

-

Rob

Yeah, I knew that.  I just would like it to be detached from your ID so that screen names can be a plain old text field.