Can Moderators and Administrators read PM's?
- Thread starter Drifterwood
- Start date
From moderating and administering a forum much like this one (though it didn't use the same software, but the are all similar), PMs couldn't be read by moderators and couldn't easily be read by administrators. I'm sure Rob_E could read the PMs if he so chose, though it would mean getting into the master database. I think this forum is run on vbulletin.
This is what I read on the vbulletin forum (quote is from a Vbulletin rep):
"This ability to read your members' PMs is not built into vB. However since you presumbly have access to the database you could conceivably access these directly in the database. That's not something I recommend however."
There is, apparently, a hack you can install so that the admin can read PMs. I guess Rob_E would have to have that hack installed to read them. I would think this is something that should be addressed in the ToS, personally. I'd like to know if my PMs are being read, and if so, would use the PM function less and use other methods to communicate with members.
from here:
admin reading others "pm's" - vBulletin Community Forum
I have never run a vBulletin forum. In the forum software with which I am familiar, no one can access PMs directly except the member with the account password. The password is not accessible even at administrator level. The passwords are stored in hashed form in the database itself. The site administrator (which may or may not be the forum administrator) has access to the database, but can only read the hashed versions of passwords. However, the hashed password can be edited (that is, changed) directly in the database. The password itself - not its hashed version - can also be changed at forum administrator level. So the site or forum administrator can change the password, then log in as the member and read PMs (or delete them, send new PMs, etc). However the old password is lost in this process, so the real member will know that something's up the next time he tries to log in.
There is another possibility. The site administrator could dig into the database and copy the hashed form of the password. He could then change it to a new password, and log in to fiddle with the PMs. When done, he could then paste the old hashed password back into the database. This would probably restore the original password to the account, so that the member wouldn't notice when logging back in. I haven't tried this myself, though, so don't know if it would actually work.
On my own forum, it is occasionally useful to be able to work directly with hashed passwords. The standard password test is 098f6bcd4621d373cade4e832627b4f6 in its hashed form.
There is another possibility. The site administrator could dig into the database and copy the hashed form of the password. He could then change it to a new password, and log in to fiddle with the PMs. When done, he could then paste the old hashed password back into the database. This would probably restore the original password to the account, so that the member wouldn't notice when logging back in. I haven't tried this myself, though, so don't know if it would actually work.
On my own forum, it is occasionally useful to be able to work directly with hashed passwords. The standard password test is 098f6bcd4621d373cade4e832627b4f6 in its hashed form.
- Joined
- Nov 19, 2004
- Posts
- 5,842
- Media
- 0
- Likes
- 2,611
- Points
- 333
- Location
- Memphis (Tennessee, United States)
- Gender
- Male
Thanks for the technical information. Neither the coordinators nor the moderators can read private messages here. Rob E is pretty busy. I don't know what functions he can and can't do.
I do know that members can forward private message to whomever they wish. We have seen private messages appear here on the public board. Fairly easy just a cut and paste procedure.
And some members have sent copies of private messages that they have received to a moderator (s). That is the only way that moderators have received information from private messages.
Private messages are just like e-mails. They can be forwarded by the owner to someone else. So the question is, "Can you trust the person that you are sending the private message to?" If you can, send that private message. If you can't and want it to remain private don't send it.
I do know that members can forward private message to whomever they wish. We have seen private messages appear here on the public board. Fairly easy just a cut and paste procedure.
And some members have sent copies of private messages that they have received to a moderator (s). That is the only way that moderators have received information from private messages.
Private messages are just like e-mails. They can be forwarded by the owner to someone else. So the question is, "Can you trust the person that you are sending the private message to?" If you can, send that private message. If you can't and want it to remain private don't send it.
dong20
Sexy Member
- Joined
- Feb 17, 2006
- Posts
- 6,058
- Media
- 0
- Likes
- 28
- Points
- 183
- Location
- The grey country
- Sexuality
- No Response
Nor have I, but yes, if a password as stored is changed it will lockout it's user.
It would depend on whether the database merely stores the data as it's entered or encrypts the data as it's entered in which case re-entering the encrypted version of test '098f6bcd4621d373cade4e832627b4f6' would cyrpt that, thus rendering it useless as a 'hack'. That's the way a 'proper' encryption system works, at least at this level.
Many systems use a simple crypt key stored either in the database (or a config file) which is used to crypt and decypt data as it's entered and read respectively. If that's known then decrypting and re crytping a password (or any other encrypted data) is a snap and, logging aside undetectable by anyone.
I assume it encrypts then stores the password as plain text then decrypts to authenticate, that's the easier, more normal path? To be honest I can't recall if MySql even supports true encrypted fields. I've not used it for ages, do you know if it does, save me a Google?
I have no idea how this board is set up but I doubt it's especially sophisticated, the content simply doesn't warrant any signficant level of security, which paradoxically, means said content (a few PM's perhaps) are probably safe merely by not being worth any effort to obtain. I wouldn't worry.
Im just curious what brought all of this about? We are basically too busy trying to make sure underaged kids are not here and chasing trolls. By the way, who is Pex?
i think you all have me on ignore. if not, read this:
admin reading others "pm's" - vBulletin Community Forum
the technical information with changing passwords is interesting, but there is a apparently hack that was written for admins to access PMs, though it's not built into the software originally. in essence, then, it's up to Rob_E whether he reads PMs or not.
honestly, i'd venture to say he doesn't as it's common practice on internet fora that PMs are only read by the sender and the recipients.
admin reading others "pm's" - vBulletin Community Forum
the technical information with changing passwords is interesting, but there is a apparently hack that was written for admins to access PMs, though it's not built into the software originally. in essence, then, it's up to Rob_E whether he reads PMs or not.
honestly, i'd venture to say he doesn't as it's common practice on internet fora that PMs are only read by the sender and the recipients.
Oy, no idea. I can get into the MySQL database with phpMyAdmin and fiddle around inside any of the tables. I have been informed by someone who should know that pasting the hashed password in the right place will change the real password. I don't claim to be a whiz at either databases or encryption algorithms, so generally I keep my fingers out of there until there's an actual crisis.
dong20
Sexy Member
- Joined
- Feb 17, 2006
- Posts
- 6,058
- Media
- 0
- Likes
- 28
- Points
- 183
- Location
- The grey country
- Sexuality
- No Response
I used to get paid loads to be one, though I never felt especially whizzy, I like to think I could hold my own. But outside of performance tuning etc I adopted (and still do adopt) much the same strategy as you. As they say, if it ain't broke...:smile:
Hmmm. Old thread. But if it was available then, it's probably available now.
I just looked at the support forum for the software I use nowadays, phpBB 2, and apparently it has such a modification also. I have no intention of adding it to my forum, though. Possibly the PMs are readable directly in the database, without logging in as the user and fooling around with all that password stuff. If so, it's still limited to the site owner, as not even forum administrator level has direct access to the database.
ok, this thread is from last week. it says essentially the same thing:
Read Members Pm's - vBulletin Community Forum
- Joined
- Nov 19, 2004
- Posts
- 5,842
- Media
- 0
- Likes
- 2,611
- Points
- 333
- Location
- Memphis (Tennessee, United States)
- Gender
- Male
LOL. If you knew me well, you would know that I wouldn't be able to tell who is sending pm's at a particular time. I do well with cut and paste. And I can do a few functions. But be the authority on the tech stuff here? Well, actually no.
"Superadministrators", huh?
Well, whatever vBulletin has available for snooping in the closets, it looks like moderators and administrators don't have it.