Somehow I was logged into Puppy forum as the wrong user. Security Breach?

[amethyst]

This morning I discovered I was logged in as user ljlj. Was able to log out of that account and log into the correct account.

[bigpup]

Could you provide a little more details?
Specific Puppy version?
Normal boot Login that should have been as root?
Anything you may have done or program you added, just before this happened?

[amethyst]

I did nothing. I was logged in as the mentioned poster when I visited the forum page. Actually, one thing that I did notice was that the name of the logged in user was in black (at the top of the page anyhow), my user name is in blue when logged in.

[amethyst]

So what happened here?

[puppy_apprentice]

Maybe unintentional Session hijacking. If you logged from internet cafe user ljlj could used the same computer before you? Maybe yours passwords (and hashes) are similar?

Or ljlj is a hacker and used your home computer and left session cookie in the browser

[bigpup]

Rockedge is going to have to look at this one.

[rockedge]

Wow, we have not experienced that before. I will look into it immediately

EDIT: there is a legitimate user called ljlj with more than 30 posts. I have seen before my login field contain another user name I never typed in appear. The password field did not so the login in did not work, but I found it odd that it was possible.

I am going to purge all current sessions so everyone logged in now will have to login again. I will pursue more information and look for cause and effect.

[amethyst]

I'm able to login and out...and post with different browsers (individually) on the same machine and same service provider in the same session. So you have the situation that I'm logged in with one browser and logged out with another browser at the same time on the same machine during the same current internet connection. I think this should be changed so that only one live connection (login) is allowed per same ip address at a time.

[rockedge]

Okay, after researching this it appears to be a cookie / cache incident. Some details here in this topic and thread explain it. Looks like we are also experiencing a cache over lap

There are two situations where this happens:

Your host sets up a proxy in front of your site. You can tell this by looking at the Who Is Online list and seeing if every user has the same IP (usually the IP of the proxy). The proxy can be their own hardware or something like CloudFlare. The host needs to configure the proxy or web server to correctly reset the client IP header.
Your host sets up caching on the server. This can be harder to spot if the debugging information isn't made available in the response headers. The host needs to configure the proxy to not cache user sessions. This is usually application specific, which is why you can't just roll out a cache without tuning it to your customers' needs.

From the response headers on your site, I see that your host is using nginx's caching mechanism: x-nginx-cache-status: MISS
If it hasn't been tuned at all, they're probably caching logged-in user sessions, which they should not do. We run Varnish on this site, but we don't cache the response to a request which contained cookies to avoid that kind of problem.

We are using Cloudflare for caching and internal caching through phpBB.

[amethyst]

But the total new user login happens once in a blue moon. It's more like a once off (because I frequently frequent the site wih differentt browsers during the session)...and why was the avatar name in black?

[puppy_apprentice]

Amethyst are you using Opera mini? Because ljlj is using too. And all queries go to Opera servers (man in the middle). Maybe Opera servers are storing cookies/sessions/cache to long and send your and ljlj queries to Cloudflare (and for Cloudflare they looks the same?). This could be your problem.

[Flash]

I'm surprised that you can log into the forum from multiple browsers at the same time. It's possible to simultaneously log into Gmail from several computers even. It seems like a security flaw.

[puppy_apprentice]

His problem is that he saw in the top-right corner:

Code: Select all

User: ljlj

not

Code: Select all

User: amethyst

I'm surprised that you can log into the forum from multiple browsers at the same time. It's possible to simultaneously log into Gmail from several computers even. It seems like a security flaw.

It is possible.
eg. in FB:

Facebook enables you to log in to your account from your computer and your phoneat the same time, or from two computers at once, or from a computer and a tablet. There's no limit on the number of logins you can have using the same account credentials.

and:

In order to log into multiple Facebook accounts without conflicting the cookies, you need to login separately using different browsers. Look for a second browser on your computer and open it. This should be a different one from the one you opened earlier. Log into another Facebook account.

BTW. Even in Linux you could do that:

Linux/Unix operating systems have the ability to multitask in a manner similar to other operating systems. However, Linux's major difference from other operating systems is its ability to have multiple users. Linux was designed to allow more than one user to have access to the system at the same time.

Edit: When I was testing a virtual machine with Linux myself, I logged in at the same time using VNC, along with another tester. We wrote to each other in OpenOffice

So it is a feature. Linus isn't dumb (or maybe it was wrong configured Ubuntu virtual machine?)

I think that it is Opera mini servers problem. Or other servers that cache sessions to long.

[rockedge]

Amethyst are you using Opera mini? Because ljlj is using too. And all queries go to Opera servers (man in the middle). Maybe Opera servers are storing cookies/sessions/cache to long and send your and ljlj queries to Cloudflare (and for Cloudflare they looks the same?). This could be your problem.

I believe this could be what is happening. Will happen rarely to me with when using Chromium although other user names would autofill in the user form field, it wouldn't login using those user names. Strange I found was that they would autofill when I never typed them myself.

A cache overlap and session collision.

[amethyst]

I use Opera Mini. Palemoon and Firefox. This scenario happened when running Palemoon. No other browsers were accessing the forum. I switched on the machine, accessed the forum and there I was logged in as another user. So not an Opera Mini issue. I still think the best solution is to only allow one live login at a time. In other words if you are already logged in with one browser on the same machine you should not be able to login with another browser (although ths will probably not have any effect on what happend here but it's an extra safety measure) or maybe forced logout when leaving the forum.

[puppy_apprentice]

I never leave any service without logging out and I never use the Remember me option. Each of my browsers deletes all garbage (cookies, cache etc.) when exiting. And on the our forum i'm using option Delete cookies from bottom right corner.

Many people have similar problems.
https://www.giantbomb.com/forums/bug-re ... r-1483055/
Maybe because they use mobile devices to log in (maybe Apple and Google are proxying queries too and store users sessions to long?)

https://wordpress.org/support/topic/use ... logged-in/

[8Geee]

I will remind all of two important configs I have.

1.) Clear all input/cache/cookies etc upon browser close (FF and clones have this)
2.) in the browser DISABLE all 'auto' settings, like auto-complete and auto-fill, etc., the phrase look-ahead should also be included.

Another reminder that an UNCONFIGURED brower lacks security/privacy. One needs to tweak it.

Regards
8Geee