7

Two users are using same web application online. Suddenly, I checked my profile and it was data of another user. How this is possible? We both are using the same app at the same time, the app is on cloud and we store credentials on browser local storage using window.localStorage.setItem method. What is causing this critical security issue and how to avoid that in the future?

schroeder
  • 123,438
  • 55
  • 284
  • 319
galos79241
  • 87
  • 1
  • 2
  • 4
    Just to confirm: the two users aren't on the same device or same Windows / Microsoft user account, or same Google account in Chrome, or same iCloud account on Safari, or anything like that? In cases like that, it might be that Microsoft/Google/Apple thinks you're the same person (because you share a user account) and synched cookies/localstorage between two people. – CBHacking Nov 02 '21 at 20:25
  • Were you actually able to interact with the site (i.e, perform actions as that user) or just to view information as them? The Steam website had a bug a few years ago that appeared to show you logged in to another users account, but it was just the caching layer screwing up and returning cached data for other users. – Gh0stFish Nov 02 '21 at 21:34
  • @CBHacking, two different users using different PC and different app versions. – galos79241 Nov 03 '21 at 08:04

1 Answers1

26

It's a bug in their web site, and such bugs are fairly common. They're usually something like the result of an incorrectly copied session cookie, a corrupted cache, or other programming bug.

In order, this is how I'd respond:

  1. Log out of the site immediately with the "log out" button. EDIT: If given the option, click "log out on all devices."
  2. If it was an e-commerce site where I have a credit card or actual money involved, I'd report it to the site admins as soon as possible, and watch my account statements for unexplained activity. (I'd report and contest any fradulent transactions immediately both to the site and to my credit card company.)
  3. To be extra helpful, I'd include timestamps of when it happened, URLs I visited, and screenshots from when I noticed the incorrect behavior.
  4. If it was not an e-commerce site, I'd probably do nothing, and I'd avoid the site for a while. It's not my problem, so I let the site admins worry about it.

Logging out is important: if you can see someone else's data, it's certainly reasonable to assume someone else can see your data. By logging out, you'll invalidate any cookies associated with your account, hopefully denying access to anyone else who might see your info.

IMPORTANT: Do not attempt to abuse the bug for personal gain. If you try to send yourself free stuff on somebody else's account, copy someone's gift card number and try to spend it, or transfer a balance to your account, that's a straight-up, go-to-jail crime.

You may see professional pen-testers reporting that they found something like this and poked around a bit, and they may seem to push the boundaries. The difference is they know where the legal lines are drawn. They know how to safely gather data and report such info. And they know that any unsanctioned activity comes with some risk; they are legally allowed to attempt such things only when they have a signed contract from the company that says "you have our express permission to try to hack our web site."

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Item 1 is: log out, but item 3 is: include screenshots from before item 1. So does that mean item 0 is: make screenshots and copy the URL? – David Mulder Nov 03 '21 at 08:26
  • 1
    logging out doesn't invalidate all cookies associated with your account. That's what the "log out on all devices" is made for. Try logging in on facebook or netflix in an incognito window and click the log out button. You'll see that you are still logged on in your main browser, phone, app, tv, ... – J_rite Nov 03 '21 at 08:59
  • 1
    I think it needs to be reported even if it's not an e-commerce site: logging out may be not enough to prevent other people to see your data, for example in a case of conflict of ids in a database (bug in a request or in the code processing it) – Kaddath Nov 03 '21 at 09:15
  • 1
    @DavidMulder, I listed it as #3 because while I used to do that a lot, I used to care a lot more. I've since grown tired of trying to hunt down a valid admin email address and go to all the work of documenting the issue only to be ignored, or worse, to risk being accused of hacking. I might put in that effort to help a small business or hobby web site, but not a big corporate site. – John Deters Nov 03 '21 at 14:49
  • @Kaddath, I've determined the risk and effort of trying to help someone else debug their web site is no longer worth it unless it also benefits me in some way. With an e-commerce site when I report a bug I'm defending my wallet, identity, and credit cards. But if I report a bug on a non-ecommerce site, they still might accuse me of hacking, and I could end up dealing with a world of crap, hiring a lawyer, etc., all because I was trying to be helpful. For me it's not worth the risk. – John Deters Nov 03 '21 at 16:17
  • @JohnDeters it's true that it depends on how you value your data/credentials on the app (informations that have no monetary value can matter to people) the goal here is not to help someone debug, but protect your data. It depends on the culture too: this lawyers/trial attitude looks US centric to me, and most probably wouldn't happen in my country, where the app owners are more likely to have trouble from GDPR because my data is unsafe instead of me being on trial for hacking... – Kaddath Nov 03 '21 at 16:53
  • I'm not sure I'd do #2 unless they have a bug-bounty program for security issues, and thus a good track record of not shooting the messenger. Otherwise the messenger often gets shot... https://arstechnica.com/tech-policy/2021/10/viewing-website-html-code-is-not-illegal-or-hacking-prof-tells-missouri-gov/ – bob Nov 03 '21 at 22:30
  • 1
    An incorrectly managed CDN that is caching and serving content that is supposed to be only for a specific logged on user is definitely one way for thus to happen. – Todd Wilcox Nov 04 '21 at 00:49
  • 1
    For #2 I'd say also anything that involves PII. – jaskij Nov 04 '21 at 10:29