Recommend
52 
 Thumb up
 Hide
77 Posts
1 , 2 , 3 , 4  Next »   | 

BoardGameGeek» Forums » BoardGameGeek Related » BGG Bugs

Subject: Major Security Issue! rss

Your Tags: Add tags
Popular Tags: login_bug [+] [View All]
Jack K
United States
Shorewood
Wisconsin
flag msg tools
Avatar
mbmbmbmbmb
I hate to sound overly-dramatic, but that's precisely what it is.

I was working in Firefox (v 27.0.1), and tried to reply to a Geekmail.

What came up was a mail with a blank subject line and "to" field. The body was also blank other than the quotation tags.

I looked up at my mail notification and saw that the unread indicator had dropped from 14 to 0.

So I clicked to go back to the mailbox and found myself looking at someone else's mailbox.

When I clicked on "My Geek", to see who I was logged in as, I discovered that I was now suddenly loggged in as this user:

Jack
South Africa
Cape Town
Western Cape
flag msg tools
"No single raindrop believes it is to blame for the flood."
badge
Small talk (noun): insincere questions and dishonest answers.
Avatar
mbmbmbmbmb


I can't think that the fact that we have the almost the same display name ("Jack K" vs "Jack" is a coincidence).

I had to log in from a different browser to get this message posted under my real profile...

I then logged out of his account and back in, and have not yet seen this problem again. If I do, I will report it here.

Obviously this is a really serious privacy issue that you'll need to look into ASAP.

(edited to correct a typo)
10 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Paolo Robino
Italy
Dueville
Vicenza
flag msg tools
"I'm a Nay Saying worm beast!"
badge
Avatar
mbmbmbmbmb
anglotiger wrote:
So I clicked to go back to the mailbox and found myself looking at someone else's mailbox.

When I clicked on "My Geek", to see who I was logged in as, I discovered that I was now suddenly loggged in as this user:

Jack
South Africa
Cape Town
Western Cape
flag msg tools
"No single raindrop believes it is to blame for the flood."
badge
Small talk (noun): insincere questions and dishonest answers.
Avatar
mbmbmbmbmb


I can't think that the fact that we have the almost the same display name ("Jack K" vs "Jack" is a coincidence).

Happened something like that to me a few weeks ago:

My Profile is all wrong (mostly gone, actually) [SOLVED]

Still don't know what it was, but it went away in a day, and never returned (so far).
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Jack K
United States
Shorewood
Wisconsin
flag msg tools
Avatar
mbmbmbmbmb
A problem this serious shouldn't even happen once.
8 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Russ Williams
Poland
Wrocław
Dolny Śląsk
flag msg tools
designer
badge
Avatar
mbmbmbmbmb
Paolo Robino wrote:
anglotiger wrote:
So I clicked to go back to the mailbox and found myself looking at someone else's mailbox.

When I clicked on "My Geek", to see who I was logged in as, I discovered that I was now suddenly loggged in as this user:

Jack
South Africa
Cape Town
Western Cape
flag msg tools
"No single raindrop believes it is to blame for the flood."
badge
Small talk (noun): insincere questions and dishonest answers.
Avatar
mbmbmbmbmb


I can't think that the fact that we have the almost the same display name ("Jack K" vs "Jack" is a coincidence).

Happened something like that to me a few weeks ago:

My Profile is all wrong (mostly gone, actually) [SOLVED]

Still don't know what it was, but it went away in a day, and never returned (so far).

Intriguing that your example also involved the same first name (Paolo in your case)!
6 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Deviated in his zealotry? Surely not
Sweden
flag msg tools
Help, I'm being held prisoner in an overtext typing facility! I don't have much time, they could find out at any m
badge
I'm that weirdo whose number of badges sold prior to yesterday Bail Organa is keeping track of
Avatar
mbmbmbmb
Also here: Mistakenly logged in as another user

It involved someone named Lee getting logged on as someone named Jason. We need more data points!
7 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Jack K
United States
Shorewood
Wisconsin
flag msg tools
Avatar
mbmbmbmbmb
In case it helps, I was not using a public computer. I was logged into BGG from my work PC (which I do often) and I'm fairly certain that no-one else here has ever even been to this site.
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
United States
Middlesboro
Kentucky
flag msg tools
badge
Avatar
mbmbmbmbmb
Again!?

This is scary to me. :/
5 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
United States
Middlesboro
Kentucky
flag msg tools
badge
Avatar
mbmbmbmbmb
Has anyone had an "official" response about this issue from Octavian or another mod? Because I think this is a pretty serious thing especially since it has happened on more than one occasion, with different users, and who knows how many other times that haven't been publicly reported, or maybe even noticed.
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Jack K
United States
Shorewood
Wisconsin
flag msg tools
Avatar
mbmbmbmbmb
Scarlett_O wrote:
Has anyone had an "official" response about this issue from Octavian or another mod? Because I think this is a pretty serious thing especially since it has happened on more than one occasion, with different users, and who knows how many other times that haven't been publicly reported, or maybe even noticed.


FWIW, Octavian isn't likely to be involved in the investigation of this issue.
4 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
United States
Middlesboro
Kentucky
flag msg tools
badge
Avatar
mbmbmbmbmb
anglotiger wrote:
Scarlett_O wrote:
Has anyone had an "official" response about this issue from Octavian or another mod? Because I think this is a pretty serious thing especially since it has happened on more than one occasion, with different users, and who knows how many other times that haven't been publicly reported, or maybe even noticed.


FWIW, Octavian isn't likely to be involved in the investigation of this issue.


Aldie, then... whomever... somebody.
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Scott Alden
United States
Dallas
Texas
flag msg tools
admin
badge
Aldie's Full of Love!
Avatar
mbmbmbmbmb
I'm looking into the problem.
49 
 Thumb up
0.02
 tip
 Hide
  • [+] Dice rolls
Jim Cote
United States
Maine
flag msg tools
badge
Avatar
mbmbmbmbmb
57 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Brian M
United States
Thornton
Colorado
flag msg tools
designer
badge
Avatar
mbmbmbmbmb
I just had this same problem; one moment I was logged on as myself, the next I was logged on at the user KTSlayer.

Also using Firefox, also using a work computer (though at home, so it certainly wasn't somebody physically doing anything with it).
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
CHAPEL
United States
Round Rock
Texas
flag msg tools
badge
"that's a smith and wesson, and you've had your six"
Avatar
mbmbmb
Looks like it might be having collisions or shifting in the "SessionID" cookie. I've noticed that I can clear out the username and password in the cookie and as long as the sessionID remains, I can access the page.
7 
 Thumb up
1.00
 tip
 Hide
  • [+] Dice rolls
Jonathan Harrison
United States
Fisher
Illinois
flag msg tools
So long ...
badge
... and thanks for all the fish.
Avatar
mb
Eeep!
 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Serious? Lee
United States
Coppell
Texas
flag msg tools
badge
Lost in thought.
Avatar
mbmbmbmbmb
Kaffedrake wrote:
Also here: Mistakenly logged in as another user

It involved someone named Lee getting logged on as someone named Jason. We need more data points!

Yes, that was my account of a similar experience happening to me back in February. I also was using Firefox for what it's worth.
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Wendell
United States
Yellow Springs
Ohio
flag msg tools
Si non potes reperire Berolini in tabula, ludens essetis non WIF.
badge
Hey, get your stinking cursor off my face! I got nukes, you know.
Avatar
mbmbmbmbmb
Still happening: System logged me in as the wrong user; not sure if this is a BGG problem or something else

Also, what about Heartbleed and BGG? Anything?
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Deviated in his zealotry? Surely not
Sweden
flag msg tools
Help, I'm being held prisoner in an overtext typing facility! I don't have much time, they could find out at any m
badge
I'm that weirdo whose number of badges sold prior to yesterday Bail Organa is keeping track of
Avatar
mbmbmbmb
I said I'm looking into the problem.
34 
 Thumb up
0.02
 tip
 Hide
  • [+] Dice rolls
Russ Williams
Poland
Wrocław
Dolny Śląsk
flag msg tools
designer
badge
Avatar
mbmbmbmbmb
wifwendell wrote:
Also, what about Heartbleed and BGG? Anything?

Heartbleed has no relevance for sites like BGG which don't use SSL (i.e. https instead of http).

OpenSSL Heartbleed bug: BGG tests, something went wrong?
5 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Steven Mitchell
United States
New York
New York
flag msg tools
badge
I don't know what you have to say, it makes no difference anyway: whatever it is, I'm against it!
Avatar
mbmbmbmbmb
StormKnight wrote:
I just had this same problem; one moment I was logged on as myself, the next I was logged on at the user KTSlayer.

Also using Firefox, also using a work computer (though at home, so it certainly wasn't somebody physically doing anything with it).


And I was somehow just logged in a StormKnight. I was posting items to a Math Trade and somehow my last two were posted under StormKnight's name. So I was in the middle of a series of tasks, nothing at all unusual, when all of a sudden my session seems to have switched.

I've since logged out and back in as myself (and thus cannot delete those items, so they persist in case someone wants to look at those posts on the server end), but that was kinda scary for a moment.
7 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Brian M
United States
Thornton
Colorado
flag msg tools
designer
badge
Avatar
mbmbmbmbmb
patton1138 wrote:
StormKnight wrote:
I just had this same problem; one moment I was logged on as myself, the next I was logged on at the user KTSlayer.

Also using Firefox, also using a work computer (though at home, so it certainly wasn't somebody physically doing anything with it).


And I was somehow just logged in a StormKnight. I was posting items to a Math Trade and somehow my last two were posted under StormKnight's name.

I've since logged out and back in as myself (and thus cannot delete those items, so they persist in case someone wants to look at those posts on the server end), but that was kinda scary for a moment.


Yikes! More scariness! At least you aren't posting either (A) Anything I wouldn't want to trade away or (B) Anything I'd be embarrassed to be seen as owning!

"Hey, look, StormKnight is trading away the LCR Super Platinum Edition because he has too many copies".
14 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Russ Williams
Poland
Wrocław
Dolny Śląsk
flag msg tools
designer
badge
Avatar
mbmbmbmbmb
patton1138 wrote:
And I was somehow just logged in a StormKnight. I was posting items to a Math Trade and somehow my last two were posted under StormKnight's name. So I was in the middle of a series of tasks, nothing at all unusual, when all of a sudden my session seems to have switched.

Whoa, seriously? That is really bad and dangerous if people can unknowingly get auction & trade items made in their name!

(Or am I not getting a joke?)
2 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Brian M
United States
Thornton
Colorado
flag msg tools
designer
badge
Avatar
mbmbmbmbmb
No, as far as I can tell this was not a joke. This is a very worrying security issue; so far we've only heard about nice people who immediately logged out (luckily, I suspect that describes a lot of BGG), but a troublemaker could really cause problems for a person by initiating trades or simply deleting lots of collection data.

I wonder if it's sheer coincidence that I got logged in as someone else, and then shortly thereafter someone got logged in as me, or if it actually has something to do with what is causing this bug?
4 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Russ Williams
Poland
Wrocław
Dolny Śląsk
flag msg tools
designer
badge
Avatar
mbmbmbmbmb
I wonder if people can "become" another user in this way only if the other user is logged in, or one can "become" another user who has logged out as well. This makes me think it could be wise to start logging out when leaving the site instead of staying continually logged in...
3 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
Marion
msg tools
Just do it !
badge
Enjoy Life.
Avatar
mbmbmb
Aldie wrote:
I'm looking into the problem.


Aldie?

Is it just me or are these incidents happening more frequently lately ?
It makes me feel quite uncomfortable, thankfully nothing has happened to my account yet (well who knows...?), but it might only be a matter of time.

I would like to hear something from the Admins, please...
6 
 Thumb up
 tip
 Hide
  • [+] Dice rolls
1 , 2 , 3 , 4  Next »   | 
Front Page | Welcome | Contact | Privacy Policy | Terms of Service | Advertise | Support BGG | Feeds RSS
Geekdo, BoardGameGeek, the Geekdo logo, and the BoardGameGeek logo are trademarks of BoardGameGeek, LLC.