Speedy Alternate Account Creation Loophole (3 alts per min!)

(Jonathan) #1

Hey there! Recently, I stumbled across an interesting bug/bypass on the sign up page for any discourse forum. This loophole allows people to create 2 to 3 discourse accounts per minute, while using the same email address.

The limit of discourse accounts you can make per email address:
2^(number of letters/numbers before the “@” symbol minus 1)

This is because discourse thinks that these emails are separate:
te.st@mail.com and test@mail.com

But gmail recognizes them as the same, since it omits periods before the “@”

Using this method, I was able to create over 300 accounts in 3 days (It is pretty time consuming, though)
If a machine(s) were to be programmed to do the following method, the effects could be pretty interesting

Edit: With the alternate account creations, I liked a singular post over 300 times to make it the “top” topic on the hopscotch forum (or at least, the “top” filter thought it was. This is probably because the code is:
(Total likes)/(Total Replies)

(cpradio) #2

Can you explain a bit more on where you did this? As maybe they changed the default settings, as there is rate limiting and sock puppet detection built in, I’ve yet to run across a user who can setup “2^(number of letters/numbers before the “@” symbol minus 1)” without hitting either of those limitations.

Did you actually validate each account or just stage them up unverified? As unverified accounts get automatically deleted after a grace period (so even if someone did it, to what end would that be useful?)

(Jonathan) #3

I’ll make a picture description
This is on the sign up page for discourse

The verification email always goes to the original email address since gmail omits periods

(oops yeah I should’ve added that)

(Jeff Atwood) #4

This is how gmail works, you an search Google for “plus email addressing” to learn more. It is not an exploit or anything like that.

(Jonathan) #5

Ok, that makes sense
(same with the “+” I think, too)

I did find it interesting that you can use these alts to sort of cheat your way to the top topic in the “top” filter by likings a post hundreds of times :thinking:

Maybe users with the same IP address do not get to cast more than 1 like per post

(Jeff Atwood) #6

You will need to read up on defaults. More than 3 new users from the same IP address will be rejected by default.

(Jonathan) #7

Ah, ok, I didn’t know that
Hmm I don’t know how it happened then :thinking:
It is a mystery

This is what it looks like:

I don’t know, it just seems interesting that it became the top topic

(Jeff Atwood) #8

There are some exceptions, if a TL2+ user is previously from that IP or a staff user is previously from that IP, then it is assumed that IP is safe for more new users. But if all new users are from the same previously unknown IP, maximum 3 before we begin rejecting new accounts from that IP.

(Jonathan) #9

Woah, cool! That makes a lot of sense, thanks
It filters out the sketchy IP’s then, woah!

(Michael Howell) #10

This means, by the way, that pulling this kind of nonsense on a forum is a good way to ruin your hard-earned reputation.

(HopscotchRemixer) #11

Actually I believe it is likes on the first post

(HopscotchRemixer) #12

It was made as a joke, and their is nothing wrong with testing it to help prevent it further