Security Issue? Accidental User Impersonation

First, thanks for this service, I highly appreciate it and I hope all the issues can be resolved because then it will save me some tedious manual crossposting.

I signed up yesterday and are (still) not allowed to post via the web app as it tells me I have to enter my payment information which I did multiple times.

Anyway, I downloaded the android mobile app via the play store signed in with my(!) email and magic link with the idea of solving the issue of not being allowed to post. After logging in I saw that the profile image was not me but someone else (@danielpunkass). I had a look into the settings, which had my username so I thought it was just a caching glitch for the profile picture.

It turned out that the app had logged me into the account of @danielpunkass where I had full privileges and could post and delete posts, change the settings and whatnot.

I deleted the app cache and app data but also the second login was again not mine but again @danielpunkass. The next day I signed out from within the app without deleting app data and cache and (as suggested by @rossk) and finally I was in my own account.

So, I guess this is some kind of bug which should get high priority IMO (@help) because having someone else with full privileges in my account with connected networks and payment information is kind of a serious issue IMO. (BTW: I didn’t change/delete anything besides posting two messages because I thought it was my account)

It turns out, I wasn’t the only one, @rossk reported he was experiencing getting logged into a random account last week as well.

Some screenshots of the weird behaviour:

Anyone else experiencing this?

I am a web developer myself, if I can help with further information to get this bug fixed quickly, let me know I try to help.


1 Like

Sorry about this. I’m aware of the issue and have contacted Daniel in addition to resetting the tokens for his account. I don’t believe this happens to random users but actually only Daniel’s account.

My best guess at the moment is that something strange happened because he had one of the original accounts with some occasional old data, combined with a recent change we made to encrypted tokens to (ironically) improve our security.

If you sign out of the Android app, the problem should go away. If anyone else sees similar issues going forward, please let me know. I’m continuing to monitor things.

1 Like

Thank you for the quick reply and the investigation.

I am just spitballing but maybe some id collisions on the random magic email login tokens? Maybe a workaround could be to check not only for the magic email token to login but also for the email address. And if the emails do not match (even if the token does) throwing an error?

Seeing this come back up, I was inspired to test something.

I went into, deleted all of my app tokens again, went back to the token screen, and there were two tokens I didn’t create: for iOS and Marsedit (I use neither app).

So, I did it again and recorded my screen this time. Deleted the tokens, and these came back. I have a hunch about whose account I’d be in if I used one of these tokens…

after this, I logged back in to the android app, and this time I’m Jean!

1 Like

Yikes, I think I see what is happening now. I’m deploying a fix.

Thanks everyone. Let me know if this happens again! I think the root issue is fixed and doesn’t appear that I can reproduce it anymore.