If you ask me, this is not only a huge security flaw (spam, list stealing etc) it’s also absolutely horrible user experience.

Of course the entire fault lies with the plugin, and it is easily fixed by looking at the “userpro_fbconnect” function of ajax.php (userpro/functions/ajax.php) around about line 763 where you see it says the if the username has not been provided, then the username is equal to the email address.

This is a strange way to do it, because it seems to pull up SOME sort of name, as my test profile had a name attached to it.

I would suggest adding an “if” statement here to see if the call includes a username, and if not, auto-generate a name using the first-half of the email address (minus the @whatever.com) or by taking the name and appending a random number at the end of it.

Some test code would look like (by the way, you have dark text on bright blue buttons in your forum.. I love your work but usability is obviously not your strong suit):

Becomes:

This will turn an email like “[email protected]” into the username “johnny.jefferson”.

You may want to add some sort of random number at the end of it so that you avoid duplicates, although I’m not sure if this is gonna be good or not.

—

The other alternative is to do what the author should’ve done from the beginning and set the username based on the facebook UID, which is a unique identifier perfect for this type of situation. In this case, you would change several more parts of the code, first deleting the earlier lines of 761 where the username is defaulted to the email, then adding this change to the line starting within the loop of the “check if facebook uid exists”:

Save the file, copy it and over-write it and you’re done.

Best case, of course, would be if you could replace the original files in a child plugin or whatever so that next updates don’t break the change.

—

BTW it looks like this forums is practically broken; the code fragments won’t paste without converting to unicode. Good luck with that; you’ll need to try and find the parts of the code that I’ve pasted or work from the line numbers. I hope this gets fixed soon. But again, typical of the type of stuff in the plugin; powerful customization but lacks the most basic stuff.

Thanks
Eric Boland
Founder/Owner of W-World Media
Vancouver, Canada

I will also do a pastebin link so that everyone else can read a copy of the changes without having to ask for an email.

—

For the developer, the issue here relates to the extract() function you have used on line 764 of ajax.php (userpro/functions/ajax.php).

As the documentation for this function explicitly states, this should NOT BE USED ON NON-TRUSTED INFORMATION (anything that is NOT generated server-side):

http://php.net/manual/en/function.extract.php

Because AJAX calls are inherently unsafe, you should NOT be using extract on a POST. This is because the javascript that you have sends this data: data: “action=userpro_fbconnect&id=”+response.id” etc.

You haven’t encoded it with a secret key or anything to check the data and the only checks that you’ve done regarding validity are: if (isset($id) && $id != ” && $id != ‘undefined’).

That is, if the id is set, it is not null and it is not undefined, then use it in the rest of the function.

All I need to do now is to send some fake data to the ajax url (which is posted in the source code of every page) and I can automatically create fake user accounts until the cows come home. The only thing stopping me here is that you’ve included the fact that each account needs to be verified by the admin.

I will have a look into the proper validations that need to be done and then post them here later, but this is something that I recommend you get on and fix ASAP.

Thanks in advance.