-
I’m sure it has been asked before but how can I modify the automatic username when a user registers via Facebook? Currently, when a user registers using Facebook, the plugin uses their email address as their UserPro username, revealing their email address to everyone publicly. There has to be a way to change this.
This is very specific where facebook provide email address as the username other wise facebook provides the username only as the username.
UserPro cannot help it in tough!of course it can be modified to allow the FB login app to use the FB username instead of the FB email. I’m asking for assistance on HOW to modify this or at least point me in a direction.
So I just found this topic via Google. A little let down to see that it never got properly answered.
If you ask me, this is not only a huge security flaw (spam, list stealing etc) it’s also absolutely horrible user experience.
Of course the entire fault lies with the plugin, and it is easily fixed by looking at the “userpro_fbconnect” function of ajax.php (userpro/functions/ajax.php) around about line 763 where you see it says the if the username has not been provided, then the username is equal to the email address.
This is a strange way to do it, because it seems to pull up SOME sort of name, as my test profile had a name attached to it.
I would suggest adding an “if” statement here to see if the call includes a username, and if not, auto-generate a name using the first-half of the email address (minus the @whatever.com) or by taking the name and appending a random number at the end of it.
Some test code would look like (by the way, you have dark text on bright blue buttons in your forum.. I love your work but usability is obviously not your strong suit):
PHP1234extract($_POST);if (!isset($username) || $username == '' || $username == 'undefined') {$username = $email;}Becomes:
PHP123456extract($_POST);if (!isset($username) || $username == '' || $username == 'undefined') {$generatedUsername = explode("@", $email);$username = $generatedUsername[0];}This will turn an email like “[email protected]” into the username “johnny.jefferson”.
You may want to add some sort of random number at the end of it so that you avoid duplicates, although I’m not sure if this is gonna be good or not.
—
The other alternative is to do what the author should’ve done from the beginning and set the username based on the facebook UID, which is a unique identifier perfect for this type of situation. In this case, you would change several more parts of the code, first deleting the earlier lines of 761 where the username is defaulted to the email, then adding this change to the line starting within the loop of the “check if facebook uid exists”:
PHP12if (isset($id) && $id != '' && $id != 'undefined'){$username = $id;Save the file, copy it and over-write it and you’re done.
Best case, of course, would be if you could replace the original files in a child plugin or whatever so that next updates don’t break the change.
—
BTW it looks like this forums is practically broken; the code fragments won’t paste without converting to unicode. Good luck with that; you’ll need to try and find the parts of the code that I’ve pasted or work from the line numbers. I hope this gets fixed soon. But again, typical of the type of stuff in the plugin; powerful customization but lacks the most basic stuff.
@majaka Can you send us that ajax.php edited file to [email protected], we need to fix the issue on our Corporate News website.
Thanks
Eric Boland
Founder/Owner of W-World Media
Vancouver, CanadaNo problem, I’ll shoot through a copy of the email shortly once I clean up the code and do some security fixes. I’ve just noticed that there seems to be no validation of the data sent back via Facebook, which means it can be hijacked via Javascript and have stuff inserted into the user data which shouldn’t be inserted.
I will also do a pastebin link so that everyone else can read a copy of the changes without having to ask for an email.
—
For the developer, the issue here relates to the extract() function you have used on line 764 of ajax.php (userpro/functions/ajax.php).
As the documentation for this function explicitly states, this should NOT BE USED ON NON-TRUSTED INFORMATION (anything that is NOT generated server-side):
http://php.net/manual/en/function.extract.php
Because AJAX calls are inherently unsafe, you should NOT be using extract on a POST. This is because the javascript that you have sends this data: data: “action=userpro_fbconnect&id=”+response.id” etc.
You haven’t encoded it with a secret key or anything to check the data and the only checks that you’ve done regarding validity are: if (isset($id) && $id != ” && $id != ‘undefined’).
That is, if the id is set, it is not null and it is not undefined, then use it in the rest of the function.
All I need to do now is to send some fake data to the ajax url (which is posted in the source code of every page) and I can automatically create fake user accounts until the cows come home. The only thing stopping me here is that you’ve included the fact that each account needs to be verified by the admin.
I will have a look into the proper validations that need to be done and then post them here later, but this is something that I recommend you get on and fix ASAP.
@majaka any chance of getting a copy of that file too please? To [email protected].
Thanks in advance.
You must be logged in to reply to this topic.