Logging in as another user - Security Issue



  • Two users are using same web application online. Suddenly, I checked my profile and it was data of another user. How this is possible? We both are using the same app at the same time, the app is on cloud and we store credentials on browser local storage using window.localStorage.setItem method. What is causing this critical security issue and how to avoid that in the future?



  • It's a bug in their web site, and such bugs are fairly common. They're usually something like the result of an incorrectly copied session cookie, a corrupted cache, or other programming bug.

    In order, this is how I'd respond:

    1. Log out of the site immediately with the "log out" button. EDIT: If given the option, click "log out on all devices."
    2. If it was an e-commerce site where I have a credit card or actual money involved, I'd report it to the site admins as soon as possible, and watch my account statements for unexplained activity. (I'd report and contest any fradulent transactions immediately both to the site and to my credit card company.)
    3. To be extra helpful, I'd include timestamps of when it happened, URLs I visited, and screenshots from when I noticed the incorrect behavior.
    4. If it was not an e-commerce site, I'd probably do nothing, and I'd avoid the site for a while. It's not my problem, so I let the site admins worry about it.

    Logging out is important: if you can see someone else's data, it's certainly reasonable to assume someone else can see your data. By logging out, you'll invalidate any cookies associated with your account, hopefully denying access to anyone else who might see your info.

    IMPORTANT: Do not attempt to abuse the bug for personal gain. If you try to send yourself free stuff on somebody else's account, copy someone's gift card number and try to spend it, or transfer a balance to your account, that's a straight-up, go-to-jail crime.

    You may see professional pen-testers reporting that they found something like this and poked around a bit, and they may seem to push the boundaries. The difference is they know where the legal lines are drawn. They know how to safely gather data and report such info. And they know that any unsanctioned activity comes with some risk; they are legally allowed to attempt such things only when they have a signed contract from the company that says "you have our express permission to try to hack our web site."




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2