Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Wrong user logged in. Security issue.

I am currently setting up vanilla and using it as a test bed before I put it into a production site. I setup integration with twitter, facebook, etc... and I am guessing this is where I messed up.

Everything was working fine until a new user went to the forum address, never having registered before, and was automatically logged into my twitter created user account. He was able to make a post and use the account without ever logging in. I told him to stay on the page, and I logged into the account myself, which killed his session and forced him off it. However, I am concerned the issue might still exist in the future, or open up access to other accounts with mod/admin privs.

The only thing I can think of that might have caused it is I was using the same twitter ID APP codes for both vanilla and wordpress. Although on wordpress I am not using single login, just publisher access. I also had the settings on read, write, and direct access. Did I cause this by not creating a separate app/id, or is this some other issue that may come up when I put the site into production?

I read an old post from April with a user having a similar experience. He said it was caused on his end by some caching his company did on their network, and shared IP's. However, our IP's are completely different, and I'm using bluehost as my test bed before I move it to a production server. Is this a known issue with Bluehost?

Any help from you experts would be greatly appreciated. I'm new to using vanilla, but love everything I'm seeing so far.


  • Options

    Happened again. This time with a brand new user that has never logged into the site. They went to the site and were automatically logged in as an admin account. It sounds like my cookies are messed up, but I checked all the settings and they appear okay. I'll give my link out upon request, but don't want to post it public because of the obvious security vuln.

    This is 2.0.18 with all of the social integration options setup and jsconnect. I've disabled jsconnect and it might still be doing it, but I was unable to 100% confirm. So I am really confused what might be the issue. Any hints that might help me track it down would be great!

Sign In or Register to comment.