5

Two users are using same web application online. Suddenly, I checked my profile and it was data of another user. How this is possible? We both are using the same app at the same time, the app is on cloud and we store credentials on browser local storage using window.localStorage.setItem method. What is causing this critical security issue and how to avoid that in the future?

Improve this question
New contributor
galos79241 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
3
  • 2
    Just to confirm: the two users aren't on the same device or same Windows / Microsoft user account, or same Google account in Chrome, or same iCloud account on Safari, or anything like that? In cases like that, it might be that Microsoft/Google/Apple thinks you're the same person (because you share a user account) and synched cookies/localstorage between two people.
    – CBHacking
    18 hours ago
  • Were you actually able to interact with the site (i.e, perform actions as that user) or just to view information as them? The Steam website had a bug a few years ago that appeared to show you logged in to another users account, but it was just the caching layer screwing up and returning cached data for other users.
    – Gh0stFish
    17 hours ago
  • @CBHacking, two different users using different PC and different app versions.
    – galos79241
    7 hours ago
14

It's a bug in their web site, and such bugs are fairly common. They're usually something like the result of an incorrectly copied session cookie, a corrupted cache, or other programming bug.

In order, this is how I'd respond:

  1. Log out of the site immediately with the "log out" button. EDIT: If given the option, click "log out on all devices."
  2. If it was an e-commerce site where I have a credit card or actual money involved, I'd report it to the site admins as soon as possible, and watch my account statements for unexplained activity. (I'd report and contest any fradulent transactions immediately both to the site and to my credit card company.)
  3. To be extra helpful, I'd include timestamps of when it happened, URLs I visited, and screenshots from when I noticed the incorrect behavior.
  4. If it was not an e-commerce site, I'd probably do nothing, and I'd avoid the site for a while. It's not my problem, so I let the site admins worry about it.

Logging out is important: if you can see someone else's data, it's certainly reasonable to assume someone else can see your data. By logging out, you'll invalidate any cookies associated with your account, hopefully denying access to anyone else who might see your info.

IMPORTANT: Do not attempt to abuse the bug for personal gain. If you try to send yourself free stuff on somebody else's account, copy someone's gift card number and try to spend it, or transfer a balance to your account, that's a straight-up, go-to-jail crime.

You may see professional pen-testers reporting that they found something like this and poked around a bit, and they may seem to push the boundaries. The difference is they know where the legal lines are drawn. They know how to safely gather data and report such info. And they know that any unsanctioned activity comes with some risk; they are legally allowed to attempt such things only when they have a signed contract from the company that says "you have our express permission to try to hack our web site."

Improve this answer
5
  • 4
    I'd upvote this anyway, but the "Important" part deserves an extra upvote.
    – Digital Dracula
    10 hours ago
  • Item 1 is: log out, but item 3 is: include screenshots from before item 1. So does that mean item 0 is: make screenshots and copy the URL?
    – David Mulder
    6 hours ago
  • 1
    logging out doesn't invalidate all cookies associated with your account. That's what the "log out on all devices" is made for. Try logging in on facebook or netflix in an incognito window and click the log out button. You'll see that you are still logged on in your main browser, phone, app, tv, ...
    – Jungkook
    6 hours ago
  • 1
    I think it needs to be reported even if it's not an e-commerce site: logging out may be not enough to prevent other people to see your data, for example in a case of conflict of ids in a database (bug in a request or in the code processing it)
    – Kaddath
    5 hours ago
  • @DavidMulder, I listed it as #3 because while I used to do that a lot, I used to care a lot more. I've since grown tired of trying to hunt down a valid admin email address and go to all the work of documenting the issue only to be ignored, or worse, to risk being accused of hacking. I might put in that effort to help a small business or hobby web site, but not a big corporate site.
    – John Deters
    16 mins ago

Your Answer

galos79241 is a new contributor. Be nice, and check out our Code of Conduct.

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.