Who changed my password? Did you Andrew Boon??

Yesterday I came from my college, started my Laptop and opened my site. Oooo so many new activities! Started scrolling down to see what else it there! Nice, Nice, Nice .... what the hell is this? Who posted this?

Let me Delete it fast. Login > Username: xyz, Password: xxxxx > Enter

Error!
Your username or password was incorrect.  Please try again.

Username is correct, password: (carefully typing) > Enter

Error!
Your username or password was incorrect.  Please try again.

Third time. Everything carefully > Enter

Error!
Your username or password was incorrect.  Please try again.

Ooo, maybe I have forgotten the password. Clicked on Forgot password > My email > Enter.

Opened my Email account, two email for the password change?? 

The second one is recent one and the first one is?? 4 hours ago!! 

I logged in to my site using the new password. Deleted the post. Checked other items and went to Facebook!!

A long time on Facebook and then food and then sleep!

Aaah, today is Sunday!! Let me see my website for any updates. http://...... > Enter

What the hell, my site is flooded the same type of content which I had deleted yesterday and by the same user. Now I will ban the user!

Login > Username: xyz, Password: (The new password I got yesterday) > Enter

Error!
Your username or password was incorrect.  Please try again.

WTF! WTF! WTF!

I logged into my Email account. WTF, there is a password change request!

Someone is changing my password day by day without my knowledge!

Who the hell is this??

I started searching for the people who know my email and about my site. Found several people who know my email but don't know about my site.

Found many people who know about my site but not my email.

But then suddenly!!!

>Recommended Hosting Providers List Update

>DolphinPro 7.3 [Scooter] Released. And it's awesome!

>Could you send us your photo? And a few lines on what you think about us?

Caught on the action! Person who know my email and my site too!! Andrew Boon!

So, who is changing my password? Did you Andrew Boon??

This is a satire on Forgot password procedure of Boonex Dolphin site!!

Even after repeated complaints, Boonex team repeatedly overlooked the current forgot password working procedure where any user can change anyone password if they know their email. There is no confirmation about the password change request, it gets instantly changed without the knowledge of the user. The same thing happens here on Boonex site too!

It should not be like that. If a user requests password change then he should receive a link which upon clicking return to the page where they can set the password of their choice or the new password generated should only be valid if the user confirms it by clicking on the link.

Thanks to Denre - https://www.boonex.com/m/advanced-password-forgot  who is saving almost all the Boonex Dolphin powered site from evil eyes!

Even he told he can give that to Boonex if they want. But why do they want? They have the better procedure! Anyone can change anyone password!!

Hope this post will somehow change Boonex team thinking about password security and do something to solve this critical issue!

Your site has been hacked, plain and simple.

Boonex cannot login to your site. 

It's more like your email account is compromised if the password was changed, or they have access to your database.

If 'they' accessed the message in your email account, 'they' have the password to your email. Have you tried to log into c-panel? Or anything else attached to that email? 

"The same thing happens here on Boonex site too!"

So what you are saying is that if I send a message to you and don't 'block' my email address, you can change my password for this site without needing to access my email account? 

I would think that this would have been used to put Boonex out of business a long time ago. If it worked this way, and I were a competitor, I would hire a squad of teens in my neighborhood to take everyone's accounts to drive Boonex into the ground and leave them with a mountain of lawsuits. 

In fact, if it were this easy, someone would have done it to 'teach a lesson' to Boonex, if they didn't want to change how it works. I know I would. 

 This didn't happen actually, it is a satire on Forgot password procedure of Boonex Dolphin site!! 

 This is a satire and didn't happen actually. But this may happens!

Don't you believe? Give me your email address registered here on Boonex and see how I will change your password. I can't access your account because new password is sent to your email but it will be changed without your knowledge! Want to try?

It's already in the TODO list:

https://github.com/boonex/dolphin.pro/issues/58

You added this to 7.3 milestones and forgotten it!

Now you changed it to 10Leap!

You also know it's a critical issue and you should fix it at its earliest but you are just extending it and extending it!

Will you bring forgot password option like WordPress? Where user will click on the link sent to their email and then enter password of their own wish?? No.. Na!

You will be doing the same thing which denre did for Advance Forgot Password module. Then why don't you take his code and add this to core ? (He agreed to give it to Boonex, I read it in some Forum post, But I don't remember now).

Reply!

I'm on dozens of sites and forums where they will send you a temporary password in an email. I see absolutely nothing wrong with that because the email usually arrives at your computer within seconds of requesting a new password.
   Any savvy person will go directly to the site, log on with the new password and change it to one of their own. Exposure to the outside world should be no more than five minutes and I don't think hackers are that desperate.

   Unless I'm misreading you very confusing first post, I don't think it demands immediate attention.

I see quite a good number of people who spent too much time here and with Boonex Dolphin, still they don't know how it functions.

demmy: Do you want a demo? Give me your email address which you used to log in here and see what can I do!!

No Thanks. If I didn't get it right, I didn't understand your "Cry Wolf" rambling in your original post.

 You will understand everything once you give me your email address!