BitPorn.eu: Plugin scrapes forum post author UID instead of authenticated user

[BitPorn]

• PT Plugin Plus version:
  v1.6.0 (latest release from Edge Extension Store)

• PT Plugin Plus installation method:
  Market installation (Microsoft Edge Add-ons)

• Browser name and version:
  Microsoft Edge 134.0.0.0 (Windows 11)

• Whether the browser has other plugins installed:
  Yes

• Is it working properly after disabling other plugins:
  Yes, the issue is unrelated to other extensions.

---

🐞 Problem Description:

We have discovered a critical parsing bug when using PT Plugin Plus with the BitPorn.eu tracker.
After authentication, the plugin displays the wrong user information instead of the authenticated account’s data.

Specifically, the plugin scrapes the first author listed in the “Last 5 Forum Posts” section on index.php, instead of reliably identifying the currently logged-in user.

As a result, the plugin assigns the wrong UID (and corresponding stats like uploaded/downloaded amounts, bonus, etc.) to the session.

We verified this using a test account (UID: 40179), but the plugin consistently displayed information for other users such as UID 35354 or 24345 — depending on who appeared first in the homepage’s forum section.

Importantly:

• The plugin does not fetch or validate the authenticated account’s data.
• There are no API calls observed that would confirm the logged-in user.
• This leads to a data mismatch and a potential privacy risk, especially if other users' UIDs and visible information are shown in someone else’s plugin session.

---

🖼️ Related screenshots:

The user "xiansta" originally identified this issue and provided evidence showing that:

• After login, the plugin incorrectly scraped UID 24345,
• Even though the authenticated account was UID 40179.

These screenshots can be attached if required.

---

🔁 Reproduce steps:

1. Install PT Plugin Plus in Microsoft Edge.
2. Add the BitPorn.eu tracker with a valid passkey.
3. Navigate to the tracker homepage (index.php).
4. Observe that the displayed UID/username corresponds to the first forum post author, not the actual logged-in user.
5. Refresh the page — the displayed user data changes depending on who posted most recently.

---

📌 Additional notes:

• We are the administrators of BitPorn.eu, and we can confirm that our index page uses a slightly modified layout, not 100% identical to standard NexusPHP.
• This might be why the plugin's scraper misinterprets the structure and extracts data from the wrong place.
• As far as we know, BitPorn does not expose user credentials or passkeys publicly.
• There is no API endpoint currently being used by the plugin on our side.

---

✅ Suggested improvement:

Please consider updating the user info parser logic to:

• Rely on a more reliable element (e.g., /usercp.php links),
• Or allow per-tracker override/adjustment of how the plugin determines the current user.

Let us know if we can assist further with testing or provide more information. Thank you for your work on the plugin!

[Rhilip]

our index file allow overide , for example, we can edit the following selector instead of use NexusPHP default

{
  //  ...
  "selectors": {
    "userBaseInfo": {
      "page": "/index.php",
      "fields": {
        "id": {
          "selector": "span#curuser a[href*='userdetails.php'][class*='Name']:first",
          "attribute": "href",
          "filters": [
            "query ? query.getQueryString('id'):''"
          ]
        },
        "name": {
          "selector": "span#curuser a[href*='userdetails.php'][class*='Name']:first"
        },
        "isLogged": {
          "selector": [
            "a[href*='logout.php']"
          ],
          "filters": [
            "query.length>0"
          ]
        }
      }
    },
}

---

@tomyangsh can you check and fix this bug ?

[BitPorn]

Hi, @Rhilip

Thank you for your guidance about overriding the userBaseInfo selector using a custom site config.
While we understand that it's possible to override selectors per site, this does not fully solve the issue in our case, due to the following reasons:

---

🚫 Why override is not a safe fix:

The userdetails.php?id=... link appears in multiple places on the homepage (index.php) — not just for the currently logged-in user.

For example:

• In the “Last 5 Forum Posts” section (forum authors)
• In the recent activity blocks
• In the "Lucky Draw" user rewards section

This means a generic selector like:

"a[href*='userdetails.php']"

…can easily pick the wrong user (e.g. a forum post author), not the authenticated user.

---

On our tracker, the correct user profile link is within a unique element:

<div class="user-container" id="userToggle">
  <a href="userdetails.php?id=1">Felhasználói Profil</a>
</div>

⚠️ However, please note: the link text (e.g. "Felhasználói Profil") is language-dependent
(e.g. Hungarian: "Felhasználói Profil", English: "User Profile")
So selecting based on link text is unreliable across translations.

---

✅ Proper solution: fix it inside the extension itself

We’d like to emphasize that overriding the selector locally is not a long-term fix, because:

• The BitPorn tracker is pre-defined in the PT Plugin Plus extension (published on the Microsoft Edge Add-ons store).
• Most users install the plugin from the store and use BitPorn without modifying any config.
• As a result, the built-in config for BitPorn must be corrected — otherwise, users will continue to see incorrect UID and stats.

---

🔧 Suggestion:

Please update the built-in BitPorn config with a more specific and safe selector:

"selector": "#userToggle a[href*='userdetails.php']"

This will ensure that only the logged-in user is captured by the plugin — not unrelated authors on the page.

---

Let us know if we can help with testing or verification.

Thanks again for maintaining PT Plugin Plus — we really appreciate your work!

Best regards,
The BitPorn Team

[Rhilip]

Thank you so much for dedicating your time to share your valuable suggestions with us.

We'll try to fix those incorrect selectors ASAP.

However, PTPP is currently a Manifest V2 extension. As a result, we're unable to publish a full update on the Microsoft Edge Add-ons store. The version available in the store is stuck at 1.6.1.2802. Any changes and improvements will be reflected only in the pre-release builds and those generated by GitHub Actions.

Our team is now primarily focused on the development of the next Manifest V3 extension pt-plugins/PT-depiler , it will be available in next months and Old PTPP will be removed in store.

Rhilip

[BitPorn]

Thank you so much for dedicating your time to share your valuable suggestions with us.

We'll try to fix those incorrect selectors ASAP.

However, PTPP is currently a Manifest V2 extension. As a result, we're unable to publish a full update on the Microsoft Edge Add-ons store. The version available in the store is stuck at 1.6.1.2802. Any changes and improvements will be reflected only in the pre-release builds and those generated by GitHub Actions.

Our team is now primarily focused on the development of the next Manifest V3 extension pt-plugins/PT-depiler , it will be available in next months and Old PTPP will be removed in store.

Rhilip

Thank you so much for your quick and detailed response!

We really appreciate your efforts and totally understand the current limitations with Manifest V2. We'll keep an eye on the pre-release builds and are happy to test any changes or help with feedback — including on the upcoming PT-Depiler extension.

Thanks again for your great work on PT Plugin Plus. 🙏

Best regards,
The BitPorn Team