Security breach disclosure: Members logged in as other members

Discussion in 'Site Information, Help, and Feedback' started by Amin Sabet, Dec 22, 2016.

  1. Amin Sabet

    Amin Sabet Administrator

    795
    Jan 31, 2013
    Boston, MA (USA)
    Earlier today, I was trying to set up fastcgi caching for guest visitors to see pages more quickly.

    See: XenForo Forum with Nginx fastcgi_cache full page guest caching

    Somehow that resulted in some members here at FujiXspot and also at another site (TalkEmount) to be briefly logged in as other members. There was at least one case of a member posting accidentally under someone else's account.

    It is possible that some members could have read someone else's PMs and/or viewed their email addresses and birthdates. They would not have been able to access passwords.

    The situation was fixed within about an hour after it was reported.
     
    • Informative Informative x 2
  2. Mike G

    Mike G FujiXspot Top Veteran Subscribing Member

    625
    Oct 7, 2016
    London
    Mike Gorman
    Amin, indeed it took a couple of minutes to realise I wasn't who I thought I was.:blush:
     
    • Appreciate Appreciate x 1
  3. spinyman

    spinyman FujiXspot Veteran

    215
    Feb 13, 2013
    Valley Center,CA.
    Someone is still posting under my name.
     
  4. Amin Sabet

    Amin Sabet Administrator

    795
    Jan 31, 2013
    Boston, MA (USA)
    At first I thought this was unrelated to the changes I made, but now I'm not so sure. I have reverted all changes now. Please change your password just in case!
     
  5. Amin Sabet

    Amin Sabet Administrator

    795
    Jan 31, 2013
    Boston, MA (USA)
    @spinyman@spinyman - After further investigation, I think that @Haswell@Haswell must have accidentally posted under your account. The reason I say this is that Haswell is the only one who previously used the IP address that was used to post about going vegetarian under your account.

    I think what happened is that Haswell must have gotten logged in as you when I made the changes mentioned in the OP of this thread and then must have stayed logged in since that time. I've now forced everyone to re-login, which I think will prevent this sort of thing from happening again. Very sorry this happened to you.
     
  6. Haswell

    Haswell FujiXspot Regular

    73
    Oct 20, 2016
    Paul
    Blimey, sorry to have caused so much bother!
     
  7. Amin Sabet

    Amin Sabet Administrator

    795
    Jan 31, 2013
    Boston, MA (USA)
    It's my fault. Should be all fixed now!