Keywords: Private, Message, PM, Encrypt, Encode, Security

Description:
Encrypts Private Messages within the MySQL database. Allows for on-the-fly decryption without the need for a shared key.


Details:
This hack will encrypt sent messages within your MySQL database. No longer will they be viewable in plaintext, thus affording your members a little more security with their private correspondance.

Please be aware that this is not a total security solution. This was devised with simplicity as well as security in mind -- such as that the encryption method used is NOT to be assumed "unbreakable" by any stretch of the imagination.

The messages are encrypted using a method developed and credited to AITOR SOLOZABAL MERIN (aitor-3@euskalnet.net) by where text is encrypted/decrypted using a simple but powerful XOR method without a known key. Implicitly, the key is defined by the string itself in a character by character way. There are 4 items to compose the unknown key for the character in the algorithim:
The ascii code of every character of the string itself
The position in the string of the character to encrypt
The length of the string that include the character
Any special formula added by the programmer to the algorithm to calculate the key to use
This product does not explicitly rely on any vBulletin functions, thus there should not be any problems with future upgrades, etc.

This product was developed by request (https://vborg.vbsupport.ru/showthread.php?p=1187606#post1187606) of FGENETICS (https://vborg.vbsupport.ru/member.php?u=179056) and DOOGIE88 (https://vborg.vbsupport.ru/member.php?u=167430).


Installation:
1. Download and import the product-pmcrypt1.1.0.xml file via the Product Manager.

2. Enable the product via the AdminCP (vBulletin Options > Private Message Encryption)

3. ???

4. Profit


Version History:
v1.0.0 - Initial Release
v1.0.1 - Fixed bug when replying to an encrypted message.
v1.1.0 - Fixed issue with reply and preview. Encapsulated encryption within base64_encode(); for storage. Smilies no longer run risk of breaking encryption.

* Once enabled, all PM's sent thereafter will be encrypted. This means that should you choose to disable and/or uninstall the product, said PM's will remain encrypted -- rendering them unreadable.

* Please note that this modification was developed on a forum with a userbase of 1 (myself). I've tested it for basic functionality but I cannot guarantee functionality or behavior on your forum. So, please -- make backups before installing this product!

Reserved.

Hi,

where is the file? ;)

Wow, very nice :) I'll klick instal if you upload the file :P

Sounds very interesting. I'll also click install once the file has been uploaded. ;)

Durr.. it helps if actually upload the product. Woops!

/embarass

A lot of potential! Thanks!

Reserved!

Nice! How does it work? Is it decipharable only by the recipient?

Thank you very much.
One question though, is there anything that will notify me if it worked or not?
Because I enabled it, the Admin CP options are there, but I tested with a message, and it is just like a normal message.
Thanks.

** okay it seems to be working, because when you 'reply' you see the encrypted message.
However, the one downfall is when you reply, and the original sender gets the original message back, after the receiver read it, the original quoted message is encrypted.
Anyway to fix that?

I'll take a look at it, should be a simple fix.

Ok, updated. Fixed the reply bug, however I did run into an issue with smilies during replies. You may want to check the "disable smilies" when replying for the time being, I'll devise a fix for that tomorrow.

What do I need to do to upgrade it? Uninstall it and re-install?

You can just install the new version over the old one, just select "Allow Overwrite" on the Product Import page.

Very buggy, having a lot of problems with it.
Most messages aren't being decrypted.

If you encrypted messages with 1.0, uninstalled, then installed 1.1 -- that would happen. By uninstalling you remove the added 'encrypt' row to the 'pmtext' table. When you re-install, the 'encrypt' row is added but without the correct integer for the previously encrypted messages. So when viewing those earlier encrypted messages, the decryption engine doesn't know to decrypt them.

I've installed, upgraded, uninstalled, reinstalled, reupgraded, etc.. about a dozen times, and each time the encryption/decryption works fine. The only problem, that I'm aware of currently, is occasionally the encryption text will contain a smiley bbcode (ie. :) ), thus preventing the message from being DEcrypted.

So, until that bug is fixed I would recommend checking "Disable smilies" when sending PM's. Also, keep in mind that this is still Beta, as noted in the original post.

Once I get into my office this morning, I'll go through the code. It was late last night, so God knows.

Hello
I tested a brand new message with the new version and it didn't encrypt, maybe it had to do with smilies though.

Oh my god! This is a great hack! :D

Ok, I've found the problem. I'm removing this for download until I upload the new version -- which should be in the next 20 minutes or so.

I would suggest deleting any encrypted PM's you've sent, as the new version will be unable to read them. I've had to wrap the encryption with base64_encode(); to allow for smoother storage within the SQL db.

hm, perhaps I'm too stupid, but if the boardsoft can decrypt the pm for the user - why
can't someone who has access to the db decrypt it?

hm, perhaps I'm too stupid, but if the boardsoft can decrypt the pm for the user - why
can't someone who has access to the db decrypt it?

As stated in the original post:

Please be aware that this is not a total security solution. This was devised with simplicity as well as security in mind -- such as that the encryption method used is NOT to be assumed "unbreakable" by any stretch of the imagination.

Ok, v1.1.0 is available for download. This fixes all bugs listed so far:


PM's, replies and previews are working.
Smilies no longer have a chance of breaking encryption
Encrypted text is now encapsulated within base64_encode(); to allow for proper storage within MySQL database


*** Please note that messages encrypted with v1.0.0 - v1.0.1 will NOT be viewable with v1.1.0. The was an unfortunate but necessary change that needed to be made. I would suggest deleting all previously encrypted PM's before upgrading. ***


Enjoy!

what about when a PM has an attachment.
vBulletin does not natively support attachments within Private Messages. Currently, the only way to achieve this result is via modification (https://vborg.vbsupport.ru/showthread.php?t=127113).

I develop my hacks to work on a default vBulletin installation and I cannot make any assurances as to their functionality alongside other hacks.

That being said, PMCrypt encrypts only the $pm['message'] variable. I'd imagine the Private Messages Attachments (https://vborg.vbsupport.ru/showthread.php?t=127113) modification stores the attachments within the default attachments table, which remains unaffected by PMCrypt.

Nice one, but how will user understand the encryption?

The user doesn't need to understand anything other than his or her Private Messages are no longer stored in plaintext within the MySQL database. This modification does not require any user interaction whatsoever.

his or her Private Messages are no longer stored in plaintext within the MySQL database.
OK, what I wanted to ask, how will they understand this?
Maybe a sign around the pm editor would be nice. "This message is encrypted" or something like that.
Because if you are a user who is suspicious about if admins are reading my pm's, my word of "your messages are encrypted" wont be enough..
Or I am completely misunderstanding somethings.. :)

Hrm, I see what you're saying. That's not a bad idea, I'll work up something visual for the end user.

Thanks for the suggestion.

This could be more useful if it could be used per usergroup rather than all PM's

Hi i have a Problem ... The Hack works fine but :

I see them with Already answered Message for the second time it is answered in the Quot only the encoded text.

Sorry for my bad Englisch but I'm a German ^^

THX

Do private messages even need an encryption? As far as i know, it is not possible to "steal" or even intercept private messages. Anyway, good idea as far as peace of mind goes.

Hi i have a Problem ... The Hack works fine but :

I see them with Already answered Message for the second time it is answered in the Quot only the encoded text.

Sorry for my bad Englisch but I'm a German ^^

THX

I'm sorry, but I can't quite figure out what you're trying to describe. Would it be possible for you to take a screenshot of the problem?

Do private messages even need an encryption? As far as i know, it is not possible to "steal" or even intercept private messages. Anyway, good idea as far as peace of mind goes.

From what I can tell, those who requested this hack were more concerned with assuring the members that the Admins themselves weren't reading their PMs.

Great idea for a hack Magnus :) Thank you for taking the time to make it and sharing it with us. In this day and age it should be a default vb feature.

Very nice. Very timely.

If it is possible and not a big task, I would like to suggest the following:

- A user cp option (checkbox) permitting the member to enable/disable this function;

- A message level option (checkbox) permitting the member to elect this option on a message by message basis;

- Admin level options enabling or disabling each of the above;

Why? As pointed out, there is a degree of risk in using the encryption mod, i.e. if the mod is for whatever reason disabled, removed, broken, whatever - encrypted PMs are effectively lost. Therefore, I would like to put the burden of responsibility for using encryption at the member level. Inform them of the trade-offs and that they use at their option and own risk.

Thanks for the work you have done on this. Installed.

:D

u r the bomb! thanks much!!!! nominated and installed

I'll be sure to add a decoder for this in my Read PMs hack :O

/ducks and runs

I'll be sure to add a decoder for this in my Read PMs hack :O

/ducks and runs

The decoding routine is in the source. Enjoy. :p

Installed...Great hack

I would install this but it conflicts with my "read pms" hack...

anybody else?

I would install this but it conflicts with my "read pms" hack...

Uh, that's kind of the point. The whole point of encrypting private messages is to provide some form of assurance to your users that neither you (nor anyone else) is easily reading them.

anybody else?

:confused:

There is a bug with this product and vBulletin infraction system. When you want to give user some penality points, here is the message :

""please complete both the subject and message fields."

When you desactivate this hack, it works.

Here is a patched version

Warning : once product installed, never delete it otherwise you won't be able to read your pm anymore. Just UPDATE it (there's no problem to do that).

why never delete it? is it hard to code an Admin CP option to decrypt ALL messages before deleting this mod ?? over even, decrypt all messages before upgrading for a new version just in case something goes wrong ?, and let's say, also add a PM checkbox to let the user encrypt the message if they want...this is for encrypting sensitive information or if you're going to just say hi to somebody encrypting that kind of messages is pointless in my opinion, anyway cool mod overall but was expecting some more Unhackable' idea. I will use it anyway since before the messages can be cracked, a cracker needs to crack my database LOL.

Well i'm not the coder, but this hack is very usefull when there are several admin and you want to be sure none of them will connect the DB to read PMs. By the way, your idea to decrypt all messages before deleting this mod is really good.

Anyone have this running on 3.7?

works perfect on vb 3.7 Beta 6

Problems

does not work with pm preview.

Does not work with infractions. thanks to cclaerhout it now does.

Does not Encryption the auto welcome message for new sign ups.

If user have their account setup to send to email it will show the Encryption.

Other than that this is WICKED.

Can you fix?

Thanks.

Does not work vB 3.6.8 PL2.:confused:

Can you fix?

Thanks.

when is this coming out of beta stage?

Dont works in vbulletin 3.7 RC1 --> after Install all mods and admins cant warning users for a thread

When sending mass pm's to all users the messages are not encry also i also when you have email pms option on it takes longers amount of time to sned to the email it is not instant anymore.

also the message that get encryped you can see in emails when it sends.

any updates on this as I see this as a big security issue if users update this with there current vbulletin and it is not working and they are using it thinking the PM's are secure

If it is not supported with a format of vbulletin it should be stated

any updates coming? i would love this for vb 3.7

Hello

Please magnus, make the Plugin for vB 3.7 ready, its a nice Plugin, do not will miss in my vB 3.7

will someone update it to 3.7 ???

Please update?

I would love to add this to my forum as well. I'll be keeping an eye out for a 3.7 update! :)

Hello magnus,

Please update the Hack, in my old forum i use this Plugin, all user PN's are crypted, when i upgrade to 3.7 and its no update for this hack, all my users lost our PN's thats so bad.. :'(

mfg

Shizo

Besides the above mentions I would love for a way to make this by user group.

Hello magnus,

Please update the Hack, in my old forum i use this Plugin, all user PN's are crypted, when i upgrade to 3.7 and its no update for this hack, all my users lost our PN's thats so bad.. :'(

mfg

Shizo

Use my attachment to encrypt your pm?s. I hope you haven?t uninstall the pmencrypt product, then you have no chance to encrypt the pm?s.

If you have only deactivated the hack, you set the sql settings in my script and run the sript. The script will encrypt all pn?s to the right format. I think it?s better if you test it first on a test board. :) For me is the script working perfectly. ;)

But make before a database backup from your pmtext table!!!

Use my attachment to encrypt your pm?s. I hope you haven?t uninstall the pmencrypt product, then you have no chance to encrypt the pm?s.

If you have only deactivated the hack, you set the sql settings in my script and run the sript. The script will encrypt all pn?s to the right format. I think it?s better if you test it first on a test board. :) For me is the script working perfectly. ;)

But make before a database backup from your pmtext table!!!




Thankx :) for your help Pander23 =) i will check your Script...

any updates? i would love this for vb 3.7

anyone?

anyone?

I'm using it on 3.7, it seems to be working fine

dont function under 3.7.3 PL1

Following mistake when I will open a message...

Fatal error: Call to a member function query_first_slave() on a non-object in C:\xampp\htdocs\includes\functions_newpost.php(185 7) : eval()'d code on line 5

This should be included in vb by default

Hope there is an update for this addon

This was functioning for me right up through 3.7.4 but when I upgraded to 3.8.0 it no longer works.

Pander23.... I've been toying with your script, but it won't update the database because of apostrophes (') . They break the sql query if not escaped.

Okay, I've got this "functioning" enough to decrypt PM's again, but am getting this error:

Parse error: syntax error, unexpected ';' in /public_html/includes/functions_newpost.php(1881) : eval()'d code on line 3

and it doesn't matter if the PM's are encrytped or not (I'm using some test PM's that are not encrypted to test functionality).

This highlighted section is the part of the code I'm having a problem with (this is from the .xml file for this add-in). If I remove the ";" at the end of the line it works for unencrypted PM's but not for encrypted PM's. If I leave it there, I get the error stated above:

<plugin active="1" executionorder="5">
<title>PMCrypt :: Decrypt an encrypted reply</title>
<hookname>private_newpm_reply</hookname>
<phpcode><![CDATA[if ($pm['encrypt']){
unset($pm);
if ($pm = $db->query_first_slave("SELECT pm.*, pmtext.* FROM `" . TABLE_PREFIX . "pm` AS pm LEFT JOIN `" . TABLE_PREFIX . "pmtext` AS pmtext ON(`pmtext.pmtextid` = pm.pmtextid) WHERE `pm.userid` = '" . $vbulletin->userinfo['userid'] . "' AND `pm.pmid` = '" . $vbulletin->GPC['pmid'] . "'";)){
// quote reply
$originalposter = fetch_quote_username($pm['fromusername']);
$pm['message'] = encrypt_decrypt(base64_decode($pm['message']));
// allow quotes to remain with an optional request variable
// this will fix a problem with forwarded PMs and replying to them
if ($vbulletin->GPC['stripquote']){
$pagetext = strip_quotes($pm['message']);
}
else{
// this is now the default behavior -- leave quotes, like vB2
$pagetext = $pm['message'];
}
$pagetext = trim(htmlspecialchars_uni($pagetext));
eval('$pm[\'message\'] = "' . fetch_template('newpost_quote', 0, false) . '";');
// work out FW / RE bits
if (preg_match('#^' . preg_quote($vbphrase['forward_prefix'], '#') . '#i', $pm['title'])){
$pm['title'] = substr($pm['title'], strlen($vbphrase['forward_prefix']) + 1);
}
elseif (preg_match('#^' . preg_quote($vbphrase['reply_prefix'], '#') . '#i', $pm['title'])){
$pm['title'] = substr($pm['title'], strlen($vbphrase['reply_prefix']) +1);
}
else{
$pm['title'] = preg_replace('#^[a-z]{2}:#i', '', $pm['title']);
}
$pm['title'] = trim($pm['title']);
if ($vbulletin->GPC['forward']){
$pm['title'] = $vbphrase['forward_prefix'] . " $pm[title]";
$pm['recipients'] = '';
$pm['forward'] = 1;
}
else{
$pm['title'] = $vbphrase['reply_prefix'] . " $pm[title]";
$pm['recipients'] = $pm['fromusername'] . ' ; ';
$pm['forward'] = 0;
}
}
}]]></phpcode>
</plugin>

Any help?

More testing shows that when replying to a PM it will quote the encoded message, not the unencoded one.

So, looks like this is broken for 3.8, an possibly earlier (although this worked for me right up through 3.7.4).

I see the coder is still active here. Just wish he could update this.... (hint, hint):D

I would love to have this back f0r 3.8.x, it does not work with it for sure.... I looked at the code but have not had time to hash out where the rub is, shame as this was a great security feature and would love to see the same for 3.8

badham

To add i got it working with 3.8 by simply uninstalling it and reinstalling it. Of course it did not help with those who had pm's which became encrypted and could not be read by the system, but all new pms are encrypted and decrypting as they should.... this is a good hack... would love to see someone do this for the entire vbulletin forum. Would be great for us who are security minded.

badham

I am interested in encrypting PM's inside the database to prevent something like this (https://secure.wikileaks.org/wiki/Draft:Nazis) from exposing my members private messages. Is there any plan to update this mod for vB4?

please update to vb4.0.3 !

Great mod, can you pdate at least to vB 3.8?

Here is a fix working for me on vB 3.8.6.

Better to say it again : UPDATE your previous version with this one. DO NOT uninstall your previous version !




If someone finds a way to DECRYPT ALL the PM database, then it will be a pleasure for me to UNINSTALL this hack.

Thank you cclaerhout! Works on 3.8.6!

Here is a PHP script to "decrypt" all the encrypted pm in the database.

Before using it, YOU HAVE TO SAVE YOUR "pmtext" TABLE.
To do it, go to PHPMYADMIN
If the script doesn't work for you, you will be able to restore your table

Then open "decrypt_pm.php", and add information to connect to your server. Save the file. Upload it to your server. Launch it with your browser.

You can now upgrade to vB 4 or whatever.

This script is not supported

Does this mod work with VB 3.8.4?

Yes but do not install this hack. For explanation, just read the thread.

Thank you, thank you, thank you!! IT WORKS! :):D:cool:


Here is a fix working for me on vB 3.8.6.

Better to say it again : UPDATE your previous version with this one. DO NOT uninstall your previous version !




If someone finds a way to DECRYPT ALL the PM database, then it will be a pleasure for me to UNINSTALL this hack.