Serious security Problem (getting logged-in to the wrong account)

Bugs, comments, questions, and complaints regarding v3 of the site, launched June 2019.
Post Reply
trillian59
Posts: 50
Joined: Tue Sep 13, 2016 3:28 am

Wed Aug 14, 2019 12:15 am

Hi, this happened for the 2nd time to me today, so I think it is a mayor problem.

I log in normally, hit the button "keep me logged in for 2 weeks".
I call the board with a direct link to my "favorites" pages.

This works normally, but sometimes, like to today, I get the favs (and of course the whole session) of somebody else like "BRIANCOX" or so.

I could then act as if I were that user, doing everything I like.

I guess, the stored credentials of the local cookie becomes invalid (reboot of the server maybe ?) and accidentally contains some data that is valid in the current environment. Maybe the session IDs are not random enough?

Anyway, of course, I cannot reproduce this by will, but it already happend twice, so we can eliminate that this was just an accident or a user problem.
User avatar
szsori
Site Admin
Posts: 2242
Joined: Fri Nov 03, 2006 2:23 pm

Wed Aug 14, 2019 12:34 pm

Are you logged into www.thetvdb.com or beta.thetvdb.com?
bluesquirrel
Posts: 247
Joined: Thu Jan 19, 2017 5:44 pm
Location: Australia

Wed Aug 14, 2019 1:36 pm

Maybe a somewhat related issue. On the v2 site, I can be both logged in and logged out at the same time.

If I go to the main site... https://www.thetvdb.com/ then I land on the page as logged out. If I browse, search etc, I remain logged out

If I use my Favourites bookmark, I land on the page as logged in. I can browse, search etc and I remain logged in.

I can open the two pages in separate tabs of the same browser and my Favourites page remains logged in, but the tab with main site remains as logged out and they remain that way after browsing in each of the two tabs.
User avatar
szsori
Site Admin
Posts: 2242
Joined: Fri Nov 03, 2006 2:23 pm

Wed Aug 14, 2019 2:46 pm

www and non-www? The v2 site has various issues, which is why we're launching the v3 site (which this forum is specific to).
trillian59
Posts: 50
Joined: Tue Sep 13, 2016 3:28 am

Thu Aug 15, 2019 11:26 am

i am still on V2 (was on V3 for a few days, but its a bit awkward to do things twice to make them permanent, so I returned for now)
AnyColour
Posts: 1
Joined: Tue Aug 27, 2019 8:06 pm

Tue Aug 27, 2019 8:18 pm

I came here and registered to report the same odd issue. I have never had an account but upon visiting the site I noticed an account logged in. I can't actually access the settings or favorites but I thought I should at least let you know. Happens in an incognito window, as well as a different browser. Also I made an account to log in myself and I can't access my own pages I get the same errors that I did when the mystery account was logged in.

Image Image
spongerob
Posts: 6
Joined: Fri Jun 01, 2018 12:58 pm

Sun Oct 20, 2019 8:41 am

Just noticed this myself - visited url thetvdb.com and it's showing me logged in as somebody else. Incognito mode is exactly the same - I'm guessing it's a caching issue on the site's end? It's a bit worrying.
leethompson
Posts: 75
Joined: Mon Aug 04, 2014 10:54 am

Mon Nov 04, 2019 2:44 pm

I am getting this too. I'm not sure which site I'm looking at (https://www.thetvdb.com).

1. Logged in as "DANIELLQO" (that's not me).
2. I click logout, then it gives me the login page but says "GERRY HUNTER" at the top.
3. I submit my credentials and I get "Invalid form token. Please reload this form and submit again."
4. Now I'm logged in.
Post Reply