[JULY 22 UPDATE: two more Etsy users report they see other users’ convos]
Have you ever logged into your Etsy account only to see yourself in someone else’s account? Some Etsy users have reported seeing this.
On July 2, Facade compiled some of the threads in which different Etsy users reported similar accounts of apparently accessing other Etsy users’ pages, including convos and billing page. These posts were as far back as Feb or Mar 2007. To simplify viewing, I’ve posted Facade’s original post in the thread beneath Chris’ response copied below, 8 days later (he also locked the thread):
RevolvingDork says:
The only way this phenomenom has occured is when a user’s cookies are read improperly or multiple users are logging into the same machine. When it does occur, it is not possible to see any private data or alter any part of another user’s account. It is just the username at the top of the page that is shown incorrectly.If you experience this issue, be sure to do the following:
1. Deativate any web accelerator programs you have running
2. Click Etsy’s logout button
3. Clear your browser’s cookies
4. Restart your computer
5. Log back into EtsyIf you follow these steps, your login should work normally.
Posted at 3:04 am, July 11 2007 EST
(bolding added by editor)
The bolded part disturbs me a bit - what exactly does “when a user’s cookies are read improperly” mean? User #1’s cookies can be read as those for user #2 - on a different computer, possibly in different state or even a different country?
Had the thread not been locked, people could’ve asked Chris to clarify his statement.
EDIT July 11: Click here to post about Chris’ post above or about other concerns on this issue.
___________________________________
facade says:
What’s up with that bug that puts people inside the wrong Etsy account?I’ve seen mention of it scattered all over the place, and eclipse rounded up a few more. I think the problem’s falling through the cracks because people have posted in threads that dealt with unrelated bugs. So I’m gathering examples here.
fallinstyle:
Someone else created two treasuries using her userid. She wasn’t logged in at the time. Nobody ever figured out how it happened.
http://www.etsy.com/forums_thread.php?thread_id=5142500HeatherLynnWhite:
Saw someone else’s convos while logged in to her own account.
(Don’t know if she would have been able to read the convos.)
http://www.etsy.com/forums_thread.php?thread_id=5144215magicforestcreations:
Ended up in someone else’s shop.
http://www.etsy.com/forums_thread.php?thread_id=5144215&page=2Taina:
Kept seeing someone else’s convos when trying to check her own.
(Don’t know if she would have been able to read the convos.)
http://www.etsy.com/forums_thread.php?thread_id=5115794sereneonion:
Ended up in misocat’s account.
(Could access misocat’s Etsy bill. Could *not* edit/delete misocat’s listings, thank goodness.)
http://www.etsy.com/forums_thread.php?thread_id=5054346&page=2Please, somebody fix this. Even if random people can’t open my convos, they could still read that first line in the summary. I’m especially worried that someone else was apparently able to make treasuries under fallinstyle’s i.d.
Posted at 5:08 pm, July 2 2007 EST
EDIT July 11: Another thread in which melisap reports she appears to be logged into another person’s account - click here to view the thread (Chris locked this one, referring it to Facade’s now locked thread - copied above):
melisap says:
There was a recent thread on this and I thought I would repost because 1- it happened again and 2- I was logged into the same person’s account as I was before. I didn’t go anywhere in her shop, but I did screen print it for ‘proof’. Refreshing the page cleared the problem and brought me back to my page.
It’s scary that this happened on two different computers and that I ended up in the same account. This could be dangerous…
Posted at 5:15 pm, July 10 2007 EST
(editor-added bolding)
melisap clarifies in an ongoing thread
Both times this happened to me were on two separate computers to which only I have access to. A home laptop and a work computer. I was logged into the same person both times, and I have a screenshot of the gal’s store I was logged into . . . .
In addition, it is NOT just the username at the top. I can view her ENTIRE store. The front page has ALL of her listings. I have a screenshot, so please do not say that this is just a username at the top issue . . . .
This account I have never seen before and on two computers to which only I have access to.
EDIT by starrydesigns
Chillionaire says:
Hi all!I wish I had more information to pass along right now, but I do want to remind everyone that even if for some reason someone gains access to your account, it is impossible for them to view all your billing info. In order to change any billing info, it must all be re-entered and card numbers are not visible to even you.
We hope to have more on this soon, and we will be sure to keep you updated.
—>Lori40
Posted at 2:30 pm, July 11 2007 EST
RevolvingDork says:
Shutting this down to prevent panic due to sensationalism — There is no known issue with login security on Etsy. If you are having issues, please bring them up with specifics in a new thread
Posted at 8:16 pm, July 11 2007 EST
[EDITOR’S NOTE: I will edit this when I have more time and I have had some sleep]
July 30th, 2007 at 2:02 pm
[…] More info in these threads: http://etsynews.com/296/a-fix-in-the-works-for-security-issues/ http://etsynews.com/292/updates-on-viewing-other-user-pages-images-bill-page-errors/
http://etsynews.com/305/login-issue-most-likely-to-affect-university-school-and-work-computers/
[…]
July 23rd, 2007 at 2:20 am
So the more I read about this, it seems that google web accelerator (GWA from now on for brevity’s sake) has had security issues for at least two years. Part of the problem is that it is ignoring some headers it should be honoring. The other half of the problem is that it exposes pre-existing security holes on various websites. So the blame is shared between GWA and the various websites.
for example:
I don’t know if it still does this, but in 2005 GWA beta was “pre-fetching” links on web pages. This means if you go to an etsy shop, GWA will pre-load all the items in that shop (the item listing pages), so they would load faster just in case you might click on them. Basically trying to predict your needs before you even know you need it.
The problem with pre-fetching links is that some links on logged-in user account pages, are for actions like “delete this item”, etc. If the action is coded correctly, GWA would not prefetch that link. If it was coded incorrectly, GWA would pre-fetch it and would delete the item for you, without you ever clicking that link. Just viewing the page the link was on would cause the action to be executed.
Whose “fault” is this? is it GWA’s fault for pre-fetching, or is it the webpage designer’s fault for not coding the action correctly? IMO the blame there is shared.
Now that issue was 2 years ago so it might have been resolved and I don’t know if GWA still pre-fetches links. I know that etsy’s “delete” links are coded correctly and have a confirmation page (are you really sure you want to delete this?) so they would not be affected.
but that pre-fetching issue illustrates how GWA can expose and exploit poor webpage design, which might have gone unnoticed and caused no trouble up until then. From what I can tell, I think that etsy *is* using at least one correct no-cache tag, so apparently GWA is ignoring that command and caching it anyway. The “fault” then might rest on GWA. But you can’t always make other companies fix their sh*t so you just have to make your own sh*t stronger. If GWA ignores one kind of no-cache header, then throw some other no-cache headers at it and see if those are honored. Do whatever it takes to make your own sh*t secure. Throwing blame around is a waste of time, and etsy will never get all of it’s users to stop using GWA, so the most practical solution is just to strengthen their own security so that GWA (or other proxy caches) cannot touch it.
July 23rd, 2007 at 1:34 am
I’ve just been reading this page
http://www.mnot.net/cache_docs/
and comparing the meta tags on etsy vs. yahoo
yahoo uses the pragma tag which this page says does not work on all caches. Etsy doesn’t use the pragma tag, they use the CACHE-CONTROL tag.
BUT, yahoo also uses the “expires” tag with a date in the past. I think I mentioned that above on July 11 as one method of blocking caching. This mnot site says it is a good method because almost all caches will honor it. This is also the method my work uses which is how I was familiar with it.
We definitely don’t want that old expires date on our shops but for our personal pages it could be a good solution, or at least something to try. It’s clear that the no-cache tags etsy is using now are not blocking the google accelerator’s cache.
July 23rd, 2007 at 1:07 am
Re: Google Accelerator -
from
FROM this Google page
______________________________________________________
FROM this Google page
—————— THERE’S THE SOLUTION ——————————-