URGENT!!! SECURITY/DATA BREACH/SPAM

I have notified WIX of this with a phone call but thought it would be a good idea to advise other people that might be going through the same. (also, didn’t get a response yet)
I was contacted recently by other people who owe a WIX website saying that I sign to their website (which I didn’t). One one of them took a print screen of my profile and, guess what, this was my GOOGLE profile: my email, my location, my picture. This means someone is having access to my details (passwords, emails, cards, everything!).
In the beginning I thought this was a problem with me and someone hacking my account, until I then started to receive multiple notifications of random emails who are signing into my website too, without contacting me.
The first time this happened was 7 days ago, but I thought this was just someone curious about the website than decided to sign in to have a look. Then I received another one 4 days ago, another 3 days ago, and yesterday, 6 people randomly sign in to my website. 6!!! I only have occasional clients that sign in because they have to pay for their plans.
Not only that, but this morning I had 1 more person and this afternoon another one. This last one even paid for a plan, but didn’t mention anything to me.
In the mean time, I continue receiving emails from other website owners saying I sign up to their websites, and I noticed that I have been added to other business pages on the WIX Mobile App. One of them was even Porn.

WIX, this is hella SERIOUS.
All of this emails are from people who owe a wix website, or they’re fake.
This is an urgent situation and its affecting many wix members, not only me.
I have confidential data on my website and my client’s might be victims soon too.
Not only I am losing my time contacting people I think are potential clients who aren’t, but we’re talking about passwords, emails, credit cards.
This is not something to be taken lightly, people need to be aware of this, and precautions should be taken!

PLEASE LOOK FOR THE SOURCE OF THE PROBLEM AND SORT THIS AS SOON AS POSSIBLE!

I’m not really sure I understand what you mean by owe a Wix site or why they would ask you to sign on to their site…Might be good to clarify.

In any case, don’t get phished!

If your google profile showed up as a login then I recommend you reset your Google password AND activate 2-step-authentication to prevent hacking of your account.

If you use your Google account to log in to any 3rd party websites / apps, then I recommend you change all of those passwords too. (If possible, also activate 2-step-authentication on those other 3rd party websites / apps as well)

I have done this, Thank you so much.
Somehow the websites I have been added to are all from WIX, which is weird, and I don’t know why someone would be doing this anyways.
I will keep you posted if I continue to receive random sing ins or if I am added to other websites anyways (?)

So, someone used my Google Account to sign up on different wix websites (no idea why they would do that). Similarly, many people sign up to my website recently, who appear to not be real clients, but their Google accounts where also used (I can see their picture).
I changed my passwords and keeping an eye on it!

@yela_501 It all depends on whether your site(s) attract bots/exploits and what your browsing habits are. If you use the internet without any consideration or knowledge of security/privacy, stuff like this is actually not rare.

t sucks that it’s your Google account as they likely have a ton of information on you now, but I would recommend that you download these browser add-ons to protect you in the future and just let them run in the background:
HTTPS Everywhere
Decentraleyes
Privacy Badger
Cookie Autodelete

You can also use Startpage.com 's Anonymous View instead of Google if you think it’s a potentially sketchy site or even just in general.

I’m sending this on to security for evaluation. However, it really sounds like your Google account was hacked - not your Wix account.

While you’re chatting with the “(in)security” folks at Wix/Corvid, how about checking on improving security to 2019 standards - all serious web hosting providers offer mfa/2fa
(multi factor authentication / two factor authentication).

@brainstorrrm This is a must, I have been working on developing a captcha that will hoepfully stop bots etc before they attempt to sign up to my website, just another piece of security etc:

I am however having a little diffiutly with finalising it, I am not using google recaptcha because I am not 100% sure if they captcha data at the same time someone completes it etc:

anyway here is the starting part of my code:

by exporting splitToken at the bottom of the code it presents a uninterupted 6 digit alphanumeric and special character code that has had duplicates removed from the intiial string that is generated in the “var captcha = function() {”, my issue is if lets say I was to call multiple variables it would create multiple codes where as I am just wanting one 6 character code with no spaces and no duplicates.

I then want to pass this to a checkCaptcha.jsw file to make sure that clientside code matches server side and then also to do a further check on the submission to make sure that the submitted code is the same as the one that is generated on the server.

I know this sounds extreme but I am wanting to cover as many basis as possible in making sure customers are secure from client side.

I will await the time when wix choses to implement MFA as they can actually utilise some of the code I have, which I have had support from yourself and others to create, I can now do, SMS Message confirmation, email confirmation, passwords confirmation and also IP address confirmation but if lets say someone wanted to try to breach the front end least I could stop mutliple attempts I believe with a captcha?

any help on this would be great,

Best regards,

Si

var captcha = function () {
 var outcome = "";
 var length = 20;
 var possible = "23456789ABCDEFGHJKLMNPQRSTUVWXYZ@!#$%^&*";
 for (var i = 0; i < length; i++)
        outcome += possible.charAt(Math.floor(Math.random() * possible.length));

    console.log(outcome);

 return outcome;
}

var reduceCaptcha = function () {
 let result = captcha();
    console.log(result);
 var a = result.split('');
 var l = a.length;
 var i = 0;
 var h = {};
 var v = "";

 while (i < l) {
        h[a[i]] = (h[a[i]] || 0) + 1;

        i += 1;
    }

 for (var c in h) {
 if (h[c] === 1) {
            v += c;
        }
    }

 var str = v

 let A = str.slice(0, 1);
 let B = str.slice(1, 2);
 let C = str.slice(2, 3);
 let D = str.slice(3, 4);
 let E = str.slice(4, 5);
 let F = str.slice(5, 6);

 var string = A + B + C + D + E + F;
 var st = string.trim()

    console.log(st)

 return st;
}

var splitToken = function () {
 let string = reduceCaptcha();
 var splits = {
        A: string.slice(0, 1),
        B: string.slice(1, 2),
        C: string.slice(2, 3),
        D: string.slice(3, 4),
        E: string.slice(4, 5),
        F: string.slice(5, 6)
    };

    console.log(splits)
 return splits;
}

var generateColour = function () {
 var r = Math.floor(Math.random() * 240);

 var g = Math.floor(Math.random() * 240);

 var b = Math.floor(Math.random() * 240);

 let rgb = 'rgb(' + r + ', ' + g + ' , ' + b + ')';

    console.log(rgb)

 return rgb;
}

export function getCaptcha() {
    splitToken();
}

@simonadams Looks interesting … but I would try implementing Google reCAPTCHA before writing up a storm of questionable code. Seems a lot simpler to me.

Wix apparently implements a version of it, including reCAPTCHA .

If you want v3 and Wix doesn’t offer it, you can implement it via the HTML element, according to @Ethan Snow:
https://support.wix.com/en/article/adding-captcha-to-your-wix-forms

@brainstorrrm I have tried to utilise the google recaptcha but have found it frustrating on wix, I will look to have another go, may I ask as to what is questionable about the code? just so that I can understand what is wrong and what I can do to make it less so.

@simonadams

Nothing wrong with writing your own CAPTCHA routines - I’m sure it’s a good learning experience.

“may I ask as to what is questionable about the code?”
LOL - Si, you are making it questionable:
“I am however having a little diffiutly with finalising it, …
…any help on this would be great”
It’s not working for you and you’re asking for assistance - that makes the code questionable, at best.

Also, your approach seems to have a flaw: most bots will scan the finished page for a code like the one you create … and try various approaches to fill in a form and submit, or login, etc.
So unless you obfuscate your alphanumeric code (like a reCAPTCHA) with distorted graphic interpretations of your randomly generated code, some bots will defeat your code.

So, back to Google reCAPTCHA - what’s the problem with implementing it in Wix?
Haven’t used it (yet), but it looks straightforward:
https://www.wix.com/corvid/reference/wix-captcha-backend.html

@simonadams Even Google’s reCAPTCHA has become spotty at times, to the point that now they’re just super aggressive with it in certain circumstances. For example, try completing a reCAPTCHA on Tor, or using certain VPN’s - it’s going to do its damnedest not to let you through.

If you’re looking to secure your site in such a way that you can trace an attack, obviously this is a plus since you can’t pre-emptively monitor onion exit nodes, and no reputable VPN will give you logs if they even keep them. Coding that kind of level of security on your own takes a long time, so if your intent is to learn a bit about the process by doing, there’s no issue at all. Just know, that reCAPTCHA is a lot more advanced as many people have contributed to the code over several years.

@skmedia thanks David, I am looking to implement with this a time based code that evaluates the time from its creation to the time of submission and provide a value between 0-1 as recaptcha does I hope this will then provide a little more security to bot attacks. I know it will take time but it will be worth it if I am able to create it and it be affective.

@brainstorrrm OK I see your point in relation to the questionable piece, I am looking to create an SVG or HTML code that as you say creates an obstruction to OCR or other means of reading the code. at present I would like to utilise the server side code that is generated and place it in either a SVG or HTML code and then place the created image on the client-side that way only the image can be seen and not the actual code. I am also looking to make the code dynamic in its appearence within the image but that will take some significant coding but I am working on it.

The reason why I mentioned the WIX account was because this was only happening on my wix website, and my email was being used to sign in on other WIX websites for some reason.
Anyways, after I changed my passwords it stopped. I will provide more details if this happens again.

Thank you

@brainstorrrm @simonadams or anybody who may be interested in this feature: the reCAPTCHA Editor Element has been released .

You can use this User Input when building custom forms (that is, not Wix Forms).
It is also useful if you want visitors to pass a CAPTCHA challenge when, for example, they sign up to your website.

HTH

Hi Eyal. Are you planning on adding this on to Wix Forms in the future?

@yela_501 I see now that I should have phrased my message differently
As a matter of fact, reCAPTCHA has been available in Wix Forms for a good few months now, long before it was released as a standalone Editor Element.
When you add it in Wix Forms you don’t need to write any code to authenticate the token; Wix Forms takes care of it for you. Check it out

Note that it is not available in the old Contact Form, and never will be. You have to upgrade to Wix Forms first if you wish to use reCAPTCHA. In general, we encourage users to upgrade to Wix Forms to get the most out of their forms.

Also, reCAPTCHA is not yet available in ADI. I will update once we add support for it.

closed due to spamming.