-
Bug
-
Resolution: Fixed
-
Low
-
3.3.0-OD-04, 3.2.3, 3.4.0
-
Severity 3 - Minor
-
NOTE: This bug report is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding bug report.
Several customers have reported that their instances have recently been flooded with spam accounts that appear to be part of a systematic phishing attack, which suggests that the honeypot strategy we’ve been using since JSD 3.2 is no longer effective.
This is a slightly different issue to JSD-4324 and JSD-1316 as they were first reported, so to minimise any confusion, please head to JSDSERVER-5706 for more details, including two potential workarounds and a guide to cleaning up the spam.
On behalf of the JSD server team, we’re sorry for the inconvenience this has caused, and we’ll make a solution available as soon as we can.
Hi everyone,
The fix for this issue was released in JSD 3.2.0. Instead of Captcha, we implemented the honeypot technique to prevent spam bots from creating accounts on the customer portal. Here's more information about it: https://confluence.atlassian.com/display/AdminJIRAServer072/Enabling+public+signup+and+CAPTCHA
Summary
Currently when public signup is enabled for both JIRA and Service Desk, Captcha is only displayed from JIRA signup page, not from Customer Portal signup page.
Steps to reproduce
- Go to JIRA Administration -> System -> General Configuration -> Edit Settings
- Change Mode to Public and CAPTCHA on signup to ON
- Go to JIRA Administration -> Applications -> JIRA SERVICE DESK -> Configuration -> Turn ON Public signup
- Sign up a new account from JIRA and then from Customer Portal
Expected behavior
CAPTCHA is displayed on both signup pages.
Actual behavior
CAPTCHA is only displayed on JIRA signup page. It's not available on Customer Portal signup page:
Note
It seems that CAPTCHA on signup from General Configuration only takes effect on JIRA side, not Customer Portal
- duplicates
-
-
- Closed
-
- has a regression in
-
-
- Closed
-
- relates to
-
-
- Closed
-
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Page
Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-4324] Enabling public signup does not display Captcha
Several customers have reported that their instances have recently been flooded with spam accounts that appear to be part of a systematic phishing attack, which suggests that the honeypot strategy we’ve been using since JSD 3.2 is no longer effective.
This is a slightly different issue to JSD-4324 and JSD-1316 as they were first reported, so to minimise any confusion, please head to JSDSERVER-5706 for more details, including two potential workarounds and a guide to cleaning up the spam.
On behalf of the JSD server team, we’re sorry for the inconvenience this has caused, and we’ll make a solution available as soon as we can.
We have the same problem: 300 spam accounts created some days ago. We're on JSD 3.3.0, but will soon update. Pity that this isn't fixed yet, as Alexander Dürrstein reported yesterday.
All the worse, as it is not possible to bulk-delete these users. You have to delete them one by one (waiting each time for the screen to refresh), or do some SQL or REST API hacks.
Our Jira Service Desk Server Version is 3.8.3 and we still have the problem. What can I do?
According to History:
Nhi Nguyen closed
JSDSERVER-4324- Enabling public signup does not display Captcha
!/secure/viewavatar?size=xsmall&avatarId=51493&avatarType=issuetype|width=16,height=16!03/May/2017 12:02 AM
i.e. it was already closed.
Atlassian! The status of this ticket is 'Closed'. Please reopen. Please assign it a proper priority too (it is set as 'low' right now).
I totally agree with that.
Atlassian told me to turn public sign up off temporarily to prevent more spam. Once they fix the bug, it will be 'safe' to turn it back on. Log in as 'admin' , go to System - Edit Settings, switch 'Mode' from public to private.
Good luck!
Atlassian! The status of this ticket is 'Closed'. Please reopen. Please assign it a proper priority too (it is set as 'low' right now).
It is more honest to admit the bug to your users then to fix it silently, hoping no more of us will get victimized. As we see, this does not work. More and more of us report this problem. It is frustrating to see that some of us could have been prevented from going thru this trouble if Atlassian were to notify Its users of both the bug and the workaround.
Really, what are you waiting for? For more of us to get spammed?
I just had 300+ spam accounts created. No easy way to bulk delete and no way to stop it happening again tomorrow?
WTF.
I got 300 accounts created today! How is this bug have a low priority?!
The "honeypot technique" is not working for us, Jira 7.7.2, getting spam through the Customer Portal signup page.
> we’ll make a solution available as soon as we can.
Just cleaned out 7500 accounts.
The account verification feature is disabled (we are at 3.11), but the account creation confirmation mail is still being sent resulting in
Hi Get viagra at http://...
Your xxx service account was successfully created
You can login with your userid ...
Where is this account creation mail confirmation being generated?
Francis