Login-Credentials BUG: Cookie Mishandling leads to possible website-vulnerability Answered
I posted, Reposted and Re-linked over and over again. Nothing happened, not even a notification "we are on it" from the team.
THIS IS A SECURITY ISSUE! People on a no longer logged in PC can see things they arent supposed to!
I had this problem in the past sporadically but never saw a pattern till recently:
I come to instructables.com, i am already logged in and click on "feed" at the top. After a while an error pops up telling me a Rerouting-error happened. (Umleitungsfehler in German). I noticed, this always happens after the following action-pattern:
- I visit instructables.com and log in on computer A and i DONT log out there but only close the browse.
- I visit instructables.com on computer B. I am seemingly already signed in from the last visit here on Computer B at instructables.com.
- If i now click feed (On Computer B), the error happens.
- If i logout and log back in on Computer B, the error is gone on this computer B, even over Firefox-restarts
As far as i undestand, as soon as i log in on computer A, a new login-cookie is created on Computer A and the cookie on Computer B will no longer be valid next time. Now, if i come to instructables with computer B, the cookie somehow still is interpreted valid and logs me in (I appear to be logged in with my avatar visible at the top right). However, if i want to go to my feed, it seems Instructables checks again the cookie and figures out that i have a no longer valid login-cookie on this Computer B due to my login on Computer A and refuses to redirect me to my feed.
This gets sorted with Re-Log on Computer B, creating a NEW login-cookie on Computer B and all is well again on Computer B. Now i can play the same game on Computer A with re-log. :)
I hope, this error-report helps you guys in pinpointing and fixing an issue with a Login-bug as it seems
And Why to hell do i have to define in which channel this belongs and you dont have a channel "website of Instructables"?!? I hope this is not lost in "Circuits" - "Computer" which was the closest i could find to a website-problem... Geez...