How's this for security

retired member 1 · 04-12-2006, 02:45:12 PM

I pressed a link to a sedo auction, and not only did it take me to the auction, it also logged me into the sellers account where I was free to browse his domains or do whatever I liked with his account.

=Screenshot removed at the request of Sedo=

Now that's what I call security

Suppose posting the Session ID in the link didn't help

ratboy · 04-12-2006, 03:09:19 PM

Jesus. discount the good uns and go buying...!!

Nigel · 04-12-2006, 03:15:19 PM

Thanks for this info J2. I suppose the answer is to not let any domains go to Auction until Sedo confirm that this appalling glitch is sorted.

rob · 04-12-2006, 03:18:34 PM

I think it is if someone posts the URL themselves.

I have had something similar when someone sent me a portfolio link - which had them still logged in!

retired member 1 · 04-12-2006, 03:46:56 PM

Yes, seller posted Session ID with the link, session ID's don't last forever, don't suppose there is much Sedo can do about it, it's up to the person posting the link to make sure there is no Session ID in the link.

olebean · 04-12-2006, 04:23:31 PM

unbelievable

Edwin · 04-12-2006, 08:18:34 PM

You'd think a cookie test would be in order?

olebean · 04-12-2006, 08:22:14 PM

one of the most interesting parts is nobody wants to look at colleen!!

sedo · 05-12-2006, 08:17:42 AM

Hi everyone,

Just had a talk with tech about this. As you are aware, if a session ID is posted anywhere and the user is online (meaning the session is still active), you will be logged into the other user's account.

Obviously, this is not desirable. We will be switching to Cookie sessions in the near future to do away with this problem, as we certainly want to make sure our system is as secure as possible.

Again, thank you for bringing this to our attention. Tech's working on the solution right now.

Kind regards,

Brad
brad.tilley@sedo.com

04-12-2006, 02:45:12 PM	#1
retired member 1 Join Date: Apr 2005 Posts: 759 No Classified Ratings Domain Trader Rating: (100% / 5)	How's this for security I pressed a link to a sedo auction, and not only did it take me to the auction, it also logged me into the sellers account where I was free to browse his domains or do whatever I liked with his account. =Screenshot removed at the request of Sedo= Now that's what I call security Suppose posting the Session ID in the link didn't help Last edited by retired member 1; 05-12-2006 at 08:01:14 AM.

04-12-2006, 08:18:34 PM	#7
Edwin Join Date: Apr 2005 Location: Tokyo, Japan Posts: 1,252 No Classified Ratings Domain Trader Rating: (100% / 22)	You'd think a cookie test would be in order? __________________ Memorable Domains: Over 2,500 generic .co.uk domains for sale

05-12-2006, 08:17:42 AM	#9
sedo Sedo Staff Join Date: Aug 2005 Location: High Holborn, London, UK Posts: 824 No Classified Ratings Domain Trader Rating: (100% / 1)	Hi everyone, Just had a talk with tech about this. As you are aware, if a session ID is posted anywhere and the user is online (meaning the session is still active), you will be logged into the other user's account. Obviously, this is not desirable. We will be switching to Cookie sessions in the near future to do away with this problem, as we certainly want to make sure our system is as secure as possible. Again, thank you for bringing this to our attention. Tech's working on the solution right now. Kind regards, Brad brad.tilley@sedo.com __________________ http://www.sedo.co.uk joanna.birch@sedo.com

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Domain Name Community	Replies	Last Post
sedo pro - how's your month going ??	pendragon	Sedo	18	26-11-2006 09:32:14 PM

04-12-2006, 03:09:19 PM	#2
ratboy Join Date: Sep 2005 Posts: 1,640 No Classified Ratings Domain Trader Rating: (100% / 38)	Jesus. discount the good uns and go buying...!!

04-12-2006, 03:15:19 PM	#3
Nigel Join Date: May 2005 Posts: 453 No Classified Ratings Domain Trader Rating: (100% / 9)	Thanks for this info J2. I suppose the answer is to not let any domains go to Auction until Sedo confirm that this appalling glitch is sorted.

04-12-2006, 03:18:34 PM	#4
rob Join Date: Jan 2005 Location: Edinburgh / Brisbane / Wales Posts: 4,051 No Classified Ratings Domain Trader Rating: (100% / 25)	I think it is if someone posts the URL themselves. I have had something similar when someone sent me a portfolio link - which had them still logged in!

04-12-2006, 03:46:56 PM	#5
retired member 1 Join Date: Apr 2005 Posts: 759 No Classified Ratings Domain Trader Rating: (100% / 5)	Yes, seller posted Session ID with the link, session ID's don't last forever, don't suppose there is much Sedo can do about it, it's up to the person posting the link to make sure there is no Session ID in the link.

04-12-2006, 04:23:31 PM	#6
olebean Join Date: Nov 2005 Location: Rarotonga Posts: 2,269 No Classified Ratings Domain Trader Rating: (100% / 1)	unbelievable

04-12-2006, 08:22:14 PM	#8
olebean Join Date: Nov 2005 Location: Rarotonga Posts: 2,269 No Classified Ratings Domain Trader Rating: (100% / 1)	one of the most interesting parts is nobody wants to look at colleen!!