retired member 1

I pressed a link to a sedo auction, and not only did it take me to the auction, it also logged me into the sellers account where I was free to browse his domains or do whatever I liked with his account.

=Screenshot removed at the request of Sedo=

Now that's what I call security

Suppose posting the Session ID in the link didn't help

ratboy

Jesus. discount the good uns and go buying...!!

Nigel

Thanks for this info J2. I suppose the answer is to not let any domains go to Auction until Sedo confirm that this appalling glitch is sorted.

rob

I think it is if someone posts the URL themselves.

I have had something similar when someone sent me a portfolio link - which had them still logged in!

retired member 1

Yes, seller posted Session ID with the link, session ID's don't last forever, don't suppose there is much Sedo can do about it, it's up to the person posting the link to make sure there is no Session ID in the link.

olebean

unbelievable

Edwin

You'd think a cookie test would be in order?

__________________
Memorable Domains: Over 2,000 generic .co.uk domains for sale

olebean

one of the most interesting parts is nobody wants to look at colleen!!

__________________
[SIZE="2"]Selling: CasinoPlaying Wedding AgencyJobs and: ToLet DomainsDirectory Property
Wedding [/SIZE]

sedo

Hi everyone,

Just had a talk with tech about this. As you are aware, if a session ID is posted anywhere and the user is online (meaning the session is still active), you will be logged into the other user's account.

Obviously, this is not desirable. We will be switching to Cookie sessions in the near future to do away with this problem, as we certainly want to make sure our system is as secure as possible.

Again, thank you for bringing this to our attention. Tech's working on the solution right now.

Kind regards,

Brad
brad.tilley@sedo.com

__________________
http://www.sedo.co.uk contact@sedo.co.uk