Possible security hole


#1

My forum just got hit with a ton of spam posted by a bunch of different spammers, and 5 of them had what I can only assume are fake Patreon usernames, e.g., patreon_9997175. Could that be due to a security hole in the plugin?


#2

Usernames in WP in the form patreon_xxxxx (an integer number) are valid accounts which logged in via Patreon to your WP site.

When a user was not logged into your site before logging in via Patreon, the plugin creates a new WP account for the user and uses patreon_ prefix and the user’s Patreon id for the rest. Its a generated username.

If a user was already logged into your WP site before logging in via Patreon, then existing WP account is linked to the Patreon account.

So these are valid users from Patreon, who logged into your site. For example the user you mentioned seems to be the below user at Patreon:

This may be a spam account opened at Patreon.

So from the first look, it seems that a spam account was created at Patreon, and then legitimately used to log into your site via the plugin.

It wouldnt be any security hole, just another case of spam.


#3

Thanks for responding. The thing is, these are 5 new Patreon accounts, created this morning, but I have not received notification of any new Patrons today. So how can they be valid? Is it possible to create a Patreon account without actually supporting a creator?


#4

I believe indeed you can create a Patreon account before supporting a creator first.

And, our plugin allows logging in of Patreon users to your site even if they are not your patrons. So in that sense, the plugin also works kinda like a social login. So Patreon users can easily log into your site.

Its very good since it allows users to login to your WP site instead of having to deal with registration, activation, and putting in their username/password and all that hassle, but if there is a spammer account at Patreon, they can also easily login.

Though spam accounts at Patreon is an issue that needs to be handled at Patreon.com side, letting users log in via Patreon only if they are your patron is something on the plugin side and it is an interesting point.

I’ll bring this to the attention of our plugin team.


#5

Thanks, I think “letting users log in via Patreon only if they are your patron” is a very good idea.

I’ve reported the spam accounts to Patreon.


#6

I thought that because the plugin allows you to set a support level on a post that it was only my supporters who could log in?

Are you saying that anyone who supports anyone else at the required level could get access to the page?

For instance I have set up this page as a test for my Patrons: http://www.MCrider.com/Patron-Test

Can anyone who has a Patreon account regardless if they are mysupporter get to that page?


#7

They didn’t log into my Patreon posts (afaik) - they logged into my forum to post spam.

I just tested your link - I was asked to confirm my pledge of $1, did not get access to the page.


#8

OK, thanks. That is what I am testing for is I intend to set up a forum on MCrider for Patrons. Hopefully, it won’t get filled with spam posts as that has been a never-ending battle in the past.

Thanks for testing, Kevin


Stopping Spam Accounts Registering
#9

OK, thanks. That is what I am testing for is I intend to set up a forum on MCrider for Patrons. Hopefully, it won’t get filled with spam posts as that has been a never-ending battle in the past.

If you make your forum patron-only, it would work. Ie, marking the forum pages patron-only for ~$1 level. This would prevent non patrons from seeing and using the forum.

The team is in favor of introducing an option to prevent non-patrons from logging in via Patreon. This also will be a solution for spammers coming via Patreon. Its possible that i can put it into the next release (1.1.0) with image locking. If not it will possibly make it into an interim release very soon after that.