Page 1 of 1

Serious security Problem (getting logged-in to the wrong account)

Posted: Wed Aug 14, 2019 12:15 am
by trillian59
Hi, this happened for the 2nd time to me today, so I think it is a mayor problem.

I log in normally, hit the button "keep me logged in for 2 weeks".
I call the board with a direct link to my "favorites" pages.

This works normally, but sometimes, like to today, I get the favs (and of course the whole session) of somebody else like "BRIANCOX" or so.

I could then act as if I were that user, doing everything I like.

I guess, the stored credentials of the local cookie becomes invalid (reboot of the server maybe ?) and accidentally contains some data that is valid in the current environment. Maybe the session IDs are not random enough?

Anyway, of course, I cannot reproduce this by will, but it already happend twice, so we can eliminate that this was just an accident or a user problem.

Re: Serious security Problem (getting logged-in to the wrong account)

Posted: Wed Aug 14, 2019 12:34 pm
by szsori
Are you logged into www.thetvdb.com or beta.thetvdb.com?

Re: Serious security Problem (getting logged-in to the wrong account)

Posted: Wed Aug 14, 2019 1:36 pm
by bluesquirrel
Maybe a somewhat related issue. On the v2 site, I can be both logged in and logged out at the same time.

If I go to the main site... https://www.thetvdb.com/ then I land on the page as logged out. If I browse, search etc, I remain logged out

If I use my Favourites bookmark, I land on the page as logged in. I can browse, search etc and I remain logged in.

I can open the two pages in separate tabs of the same browser and my Favourites page remains logged in, but the tab with main site remains as logged out and they remain that way after browsing in each of the two tabs.

Re: Serious security Problem (getting logged-in to the wrong account)

Posted: Wed Aug 14, 2019 2:46 pm
by szsori
www and non-www? The v2 site has various issues, which is why we're launching the v3 site (which this forum is specific to).

Re: Serious security Problem (getting logged-in to the wrong account)

Posted: Thu Aug 15, 2019 11:26 am
by trillian59
i am still on V2 (was on V3 for a few days, but its a bit awkward to do things twice to make them permanent, so I returned for now)

Re: Serious security Problem (getting logged-in to the wrong account)

Posted: Tue Aug 27, 2019 8:18 pm
by AnyColour
I came here and registered to report the same odd issue. I have never had an account but upon visiting the site I noticed an account logged in. I can't actually access the settings or favorites but I thought I should at least let you know. Happens in an incognito window, as well as a different browser. Also I made an account to log in myself and I can't access my own pages I get the same errors that I did when the mystery account was logged in.

Image Image

Re: Serious security Problem (getting logged-in to the wrong account)

Posted: Sun Oct 20, 2019 8:41 am
by spongerob
Just noticed this myself - visited url thetvdb.com and it's showing me logged in as somebody else. Incognito mode is exactly the same - I'm guessing it's a caching issue on the site's end? It's a bit worrying.

Re: Serious security Problem (getting logged-in to the wrong account)

Posted: Mon Nov 04, 2019 2:44 pm
by leethompson
I am getting this too. I'm not sure which site I'm looking at (https://www.thetvdb.com).

1. Logged in as "DANIELLQO" (that's not me).
2. I click logout, then it gives me the login page but says "GERRY HUNTER" at the top.
3. I submit my credentials and I get "Invalid form token. Please reload this form and submit again."
4. Now I'm logged in.