3

It happened last year but I still wonder to this day. I was looking for coupons for the site Alltrails. I had a free account and wanted to get a Pro account. I randomly opened lots of search results, but I couldn't find a coupon. Upon going back to Alltrails I was surprised to see I was logged in as a different user (some random dude's account) and it was a Pro account. I was happy about it and downloaded the trails I needed then discontinued the use, and left it unchanged.

What could have been going on behind the scenes, how is this even possible?

This also happened another time on a vastly different lesser-known local site. All of a sudden I see myself logged in as someone else (that I don't know).

Are the sessions / their cookies getting messed up? What are the chances...

Firsh - justifiedgrid.com
  • 131
  • 4
  • I don't think it is really easy to answer your question without knowing much about the website, there could be a lot of reasons for that kind of behaviour happening. For example, as you said, some form of unintended cookie hijacking. – Kevin Mar 12 '18 at 21:20
  • I certainly didn't intend it. Is it possible to follow a "bad link" that makes me log in as the other user? Could it have been that we received the same cookie ID for whatever reason? Hash collision? This is a nightmare of mine that I accidentally create something that results in these anomalies. – Firsh - justifiedgrid.com Mar 12 '18 at 22:13
  • Yes, that is all possible. You could report this error / behaviour to the website although it will be hard to find out what is causing the issue without more information. – Kevin Mar 12 '18 at 22:44
  • Are you behind a corporate proxy? Or any orher proxy? – Marko Vodopija Mar 19 '18 at 08:10
  • I wasn't using any VPN or proxy at the time. – Firsh - justifiedgrid.com Mar 19 '18 at 18:35

1 Answers1

1

Without knowing the website itself and the processes / code behind it, it is hard to exactly pinpoint what caused you to be able to login as a different user on those websites. There are a lot of possible issues, some are listed down below.

  • The website might have a vulnerability that causes some users to receive the same session or cookie ID. When doing this on purpose, it is called session hijacking or stealing cookies, you can look up exactly how this works;
  • Another possibility is that you followed an URL which was not protected and you ended up as a different user on the website.

As explained in the comments, it is really hard to bug track or reverse engineer what happened without knowing what might have caused this behaviour. You can report the issue to the website owners to see if they can fix the issue. You can find the support email address of Alltrains in their terms and conditions, listed here:

https://www.alltrails.com/terms

There are a lot of vulnerabilities that might cause such behaviour and especially for the lesser known website I could image it not being completely secure (then again, what is).

Kevin
  • 1,643
  • 9
  • 20